diff --git a/.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json b/.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json
new file mode 100644
index 00000000000..5ad6d7045f4
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/CrowdStrikeDetections.json
@@ -0,0 +1,445 @@
+{
+ "Name": "CrowdStrikeDetections",
+ "Properties": [
+ {
+ "name": "TenantId",
+ "type": "String"
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "DateTime"
+ },
+ {
+ "name": "AdversaryIds",
+ "type": "Object"
+ },
+ {
+ "name": "Behaviors",
+ "type": "Object"
+ },
+ {
+ "name": "BehaviorsProcessed",
+ "type": "Object"
+ },
+ {
+ "name": "CreatedTimestamp",
+ "type": "DateTime"
+ },
+ {
+ "name": "DateUpdated",
+ "type": "String"
+ },
+ {
+ "name": "DetectionId",
+ "type": "String"
+ },
+ {
+ "name": "FirstBehavior",
+ "type": "DateTime"
+ },
+ {
+ "name": "HostInfo",
+ "type": "Object"
+ },
+ {
+ "name": "LastBehavior",
+ "type": "DateTime"
+ },
+ {
+ "name": "MaxConfidence",
+ "type": "Int32"
+ },
+ {
+ "name": "MaxSeverity",
+ "type": "Int32"
+ },
+ {
+ "name": "MaxSeverityDisplayName",
+ "type": "String"
+ },
+ {
+ "name": "OverwatchNotes",
+ "type": "String"
+ },
+ {
+ "name": "AgentScanId",
+ "type": "String"
+ },
+ {
+ "name": "UpdatedTimestamp",
+ "type": "DateTime"
+ },
+ {
+ "name": "EmailSent",
+ "type": "SByte"
+ },
+ {
+ "name": "SecondsToResolved",
+ "type": "Int32"
+ },
+ {
+ "name": "SecondsToTriaged",
+ "type": "Int32"
+ },
+ {
+ "name": "ShowInUi",
+ "type": "SByte"
+ },
+ {
+ "name": "Status",
+ "type": "String"
+ },
+ {
+ "name": "AllegedFiletype",
+ "type": "String"
+ },
+ {
+ "name": "ChildProcessIds",
+ "type": "Object"
+ },
+ {
+ "name": "CloudIndicator",
+ "type": "SByte"
+ },
+ {
+ "name": "Cmdline",
+ "type": "String"
+ },
+ {
+ "name": "DetectionContext",
+ "type": "Object"
+ },
+ {
+ "name": "Device",
+ "type": "Object"
+ },
+ {
+ "name": "FalconHostLink",
+ "type": "String"
+ },
+ {
+ "name": "Filename",
+ "type": "String"
+ },
+ {
+ "name": "Filepath",
+ "type": "String"
+ },
+ {
+ "name": "GlobalPrevalence",
+ "type": "String"
+ },
+ {
+ "name": "GrandparentDetails",
+ "type": "Object"
+ },
+ {
+ "name": "Incident",
+ "type": "Object"
+ },
+ {
+ "name": "IndicatorId",
+ "type": "String"
+ },
+ {
+ "name": "IocContext",
+ "type": "Object"
+ },
+ {
+ "name": "LocalPrevalence",
+ "type": "String"
+ },
+ {
+ "name": "LocalProcessId",
+ "type": "String"
+ },
+ {
+ "name": "LogonDomain",
+ "type": "String"
+ },
+ {
+ "name": "Md5",
+ "type": "String"
+ },
+ {
+ "name": "NetworkAccesses",
+ "type": "Object"
+ },
+ {
+ "name": "OsName",
+ "type": "String"
+ },
+ {
+ "name": "ParentDetails",
+ "type": "Object"
+ },
+ {
+ "name": "ParentProcessId",
+ "type": "String"
+ },
+ {
+ "name": "PatternDisposition",
+ "type": "Int32"
+ },
+ {
+ "name": "PatternDispositionDescription",
+ "type": "String"
+ },
+ {
+ "name": "PatternDispositionDetails",
+ "type": "Object"
+ },
+ {
+ "name": "ProcessEndTime",
+ "type": "String"
+ },
+ {
+ "name": "ProcessId",
+ "type": "String"
+ },
+ {
+ "name": "ProcessStartTime",
+ "type": "String"
+ },
+ {
+ "name": "Quarantined",
+ "type": "SByte"
+ },
+ {
+ "name": "QuarantinedFiles",
+ "type": "Object"
+ },
+ {
+ "name": "ScanId",
+ "type": "String"
+ },
+ {
+ "name": "Sha256",
+ "type": "String"
+ },
+ {
+ "name": "Sha1",
+ "type": "String"
+ },
+ {
+ "name": "TemplateInstanceId",
+ "type": "Int32"
+ },
+ {
+ "name": "TemplateInterfaceId",
+ "type": "Int32"
+ },
+ {
+ "name": "TemplateInterfaceName",
+ "type": "String"
+ },
+ {
+ "name": "TreeId",
+ "type": "String"
+ },
+ {
+ "name": "TreeRoot",
+ "type": "String"
+ },
+ {
+ "name": "TriggeringProcessGraphId",
+ "type": "String"
+ },
+ {
+ "name": "DetectionType",
+ "type": "String"
+ },
+ {
+ "name": "UserId",
+ "type": "String"
+ },
+ {
+ "name": "UserName",
+ "type": "String"
+ },
+ {
+ "name": "UserPrincipal",
+ "type": "String"
+ },
+ {
+ "name": "AssignedToName",
+ "type": "String"
+ },
+ {
+ "name": "AssignedToUid",
+ "type": "String"
+ },
+ {
+ "name": "AssignedToUuid",
+ "type": "String"
+ },
+ {
+ "name": "Cid",
+ "type": "String"
+ },
+ {
+ "name": "CompositeId",
+ "type": "String"
+ },
+ {
+ "name": "Confidence",
+ "type": "Int32"
+ },
+ {
+ "name": "CrawledTimestamp",
+ "type": "DateTime"
+ },
+ {
+ "name": "Description",
+ "type": "String"
+ },
+ {
+ "name": "EndTime",
+ "type": "DateTime"
+ },
+ {
+ "name": "Entities",
+ "type": "Object"
+ },
+ {
+ "name": "EntityValues",
+ "type": "Object"
+ },
+ {
+ "name": "Id",
+ "type": "String"
+ },
+ {
+ "name": "MitreAttack",
+ "type": "Object"
+ },
+ {
+ "name": "Name",
+ "type": "String"
+ },
+ {
+ "name": "References",
+ "type": "Object"
+ },
+ {
+ "name": "SourceEventModel",
+ "type": "String"
+ },
+ {
+ "name": "Tactics",
+ "type": "Object"
+ },
+ {
+ "name": "TacticIds",
+ "type": "Object"
+ },
+ {
+ "name": "Techniques",
+ "type": "Object"
+ },
+ {
+ "name": "TechniqueIds",
+ "type": "Object"
+ },
+ {
+ "name": "XdrDetectionId",
+ "type": "String"
+ },
+ {
+ "name": "AddedPrivileges",
+ "type": "Object"
+ },
+ {
+ "name": "AggregateId",
+ "type": "String"
+ },
+ {
+ "name": "Objective",
+ "type": "String"
+ },
+ {
+ "name": "PolyId",
+ "type": "String"
+ },
+ {
+ "name": "PreviousPrivileges",
+ "type": "String"
+ },
+ {
+ "name": "Privileges",
+ "type": "String"
+ },
+ {
+ "name": "Scenario",
+ "type": "String"
+ },
+ {
+ "name": "Severity",
+ "type": "Int32"
+ },
+ {
+ "name": "SeverityName",
+ "type": "String"
+ },
+ {
+ "name": "SourceAccountDomain",
+ "type": "String"
+ },
+ {
+ "name": "SourceAccountName",
+ "type": "String"
+ },
+ {
+ "name": "SourceAccountObjectGuid",
+ "type": "String"
+ },
+ {
+ "name": "SourceAccountObjectSid",
+ "type": "String"
+ },
+ {
+ "name": "SourceAccountSamAccountName",
+ "type": "String"
+ },
+ {
+ "name": "SourceAccountUpn",
+ "type": "String"
+ },
+ {
+ "name": "Tactic",
+ "type": "String"
+ },
+ {
+ "name": "Technique",
+ "type": "String"
+ },
+ {
+ "name": "TacticId",
+ "type": "String"
+ },
+ {
+ "name": "TechniqueId",
+ "type": "String"
+ },
+ {
+ "name": "TemplateInstanceIdText",
+ "type": "String"
+ },
+ {
+ "name": "TemplateInterfaceIdText",
+ "type": "String"
+ },
+ {
+ "name": "SourceSystem",
+ "type": "String"
+ },
+ {
+ "name": "Type",
+ "type": "String"
+ },
+ {
+ "name": "_ItemId",
+ "type": "String"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
index fb469969b89..cf2978d3c8a 100644
--- a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
@@ -27,7 +27,7 @@
"displayName": "Alert Event ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimAlertEvent",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),\n ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)\n",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),\n ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),\n ASimAlertEventCrowdStrikeFalcon (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)\n",
"version": 1,
"functionParameters": "pack:bool=False"
}
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json
new file mode 100644
index 00000000000..17d85628783
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json
@@ -0,0 +1,36 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "[concat(parameters('Workspace'), '/ASimAlertEventCrowdStrikeFalcon')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "properties": {
+ "etag": "*",
+ "displayName": "Alert Event ASIM parser for CrowdStrike Falcon",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAlertEventCrowdStrikeFalcon",
+ "query": "let parser = (\n disabled: bool=false,\n pack: bool=false\n){\n CrowdStrikeDetections\n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = CreatedTimestamp,\n EventType = \"Alert\",\n EventProduct = \"Falcon\",\n EventVendor = \"CrowdStrike\",\n EventSchema = \"AlertEvent\",\n EventSchemaVersion = \"0.1\",\n DvcIpAddr = tostring(Device.local_ip),\n DvcHostname = tostring(Device.hostname),\n DvcDomain = tostring(Device.hostinfo.domain),\n DvcDomainType = iif(isnotempty(Device.hostinfo.domain), \"FQDN\", \"\"),\n DvcId = tostring(Device.device_id),\n DvcIdType = iff(isnotempty(Device.device_id), \"Other\", \"\"),\n EventProductVersion = tostring(Device.agent_version),\n DvcOs = tostring(Device.platform_name),\n DvcOsVersion = extract(@\"([\\d\\.]+)\", 1, tostring(Device.os_version))\n | project-rename\n EventStartTime = CreatedTimestamp,\n EventOriginalUid = Id,\n EventMessage = Description,\n EventOriginalSeverity = SeverityName,\n EventOriginalSubType = Scenario,\n EventOriginalType = DetectionType,\n EventReportUrl = FalconHostLink,\n DvcOriginalAction = PatternDispositionDescription\n | extend\n AlertId = EventOriginalUid,\n EventUid = _ItemId,\n AlertDescription = EventMessage,\n AlertStatus = iif(\n Status in (\"new\", \"in_progress\"), \"Active\",\n \"Closed\"\n ),\n DetectionMethod = case(\n Objective == \"Falcon Detection Method\" and (\n Name contains_cs \"Policy\"\n or Name contains_cs \"CustomTemplate\"\n or Name has_cs \"CustomerIOC\"\n ), \"User Defined Blocked List\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType == \"intel_detection\", \"Threat Intelligence\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType in (\"NGAV\", \"known_malware\", \"\"), \"Antivirus\",\n \"EDR\"\n ),\n EventSeverity = case(\n EventOriginalSeverity in (\"High\", \"Critical\"), \"High\",\n EventOriginalSeverity == \"Medium\", \"Medium\",\n EventOriginalSeverity == \"Low\", \"Low\",\n \"Informational\"\n ),\n EventSubType = iif(EventOriginalSubType == \"suspicious_activity\", \"Suspicious Activity\", \"Threat\"),\n Rule = Name,\n RuleNumber = toint(MitreAttack[0].pattern_id),\n RuleName = Name,\n RuleDescription = EventMessage,\n ThreatName = tostring(IocContext[0].ioc_value),\n IndicatorType = case(\n IocContext[0].ioc_type in (\"ipv4\", \"ipv6\"), \"Ip\",\n // IocContext[0].ioc_type == \"\", \"User\",\n // IocContext[0].ioc_type == \"\", \"Process\",\n // IocContext[0].ioc_type == \"\", \"Registry\",\n // IocContext[0].ioc_type == \"\", \"Url\",\n IocContext[0].ioc_type == \"domain\", \"Host\",\n // IocContext[0].ioc_type == \"\", \"Cloud Resource\",\n // IocContext[0].ioc_type == \"\", \"Application\",\n IocContext[0].ioc_type in (\"hash_sha256\"), \"File\",\n // IocContext[0].ioc_type == \"\", \"Email\",\n // IocContext[0].ioc_type == \"\", \"Mailbox\",\n // IocContext[0].ioc_type == \"\", \"Logon Session\",\n \"\"\n ),\n AttackTactics = iif(TacticId startswith_cs \"TA\", Tactic, \"\"),\n AttackTechniques = iif(TechniqueId startswith_cs \"T\", strcat(Technique, \" (\", TechniqueId, \")\"), \"\"),\n ThreatOriginalRiskLevel = tostring(Severity),\n ThreatOriginalConfidence = tostring(Confidence),\n UserIdType = case(\n isnotempty(UserId) and UserId startswith_cs \"S-\", \"SID\",\n isnotempty(UserId), \"Other\",\n \"\"\n ),\n Username = coalesce(UserPrincipal, UserName),\n FileName = Filename,\n FilePath = Filepath,\n FileSHA1 = Sha1,\n FileSHA256 = Sha256\n | project-rename\n AlertName = Name,\n AlertOriginalStatus = Status,\n ThreatRiskLevel = Severity,\n ThreatConfidence = Confidence,\n ProcessCommandLine = Cmdline,\n ProcessName = Filename\n | extend\n UsernameType = case(\n Username contains \"@\", \"UPN\",\n isnotempty(Username), \"Simple\",\n \"\"\n ),\n User = Username,\n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n AdditionalFields = iif(\n pack, bag_pack(\n \"Device\", Device,\n \"GlobalPrevalence\", GlobalPrevalence,\n \"GrandparentDetails\", GrandparentDetails,\n \"LocalPrevalence\", LocalPrevalence,\n \"ParentDetails\", ParentDetails,\n \"PatternDispositionDetails\", PatternDispositionDetails,\n \"Objective\", Objective\n ),\n dynamic(null)\n )\n | project\n TimeGenerated\n , Type\n , AdditionalFields\n , AlertDescription\n , AlertId\n , AlertName\n , AlertOriginalStatus\n , AlertStatus\n // , AlertVerdict\n // , AttackRemediationSteps\n , AttackTactics\n , AttackTechniques\n , DetectionMethod\n // , DvcAction\n // , DvcDescription\n , DvcDomain\n , DvcDomainType\n // , DvcFQDN\n , DvcHostname\n , DvcId\n , DvcIdType\n // , DvcInterface\n , DvcIpAddr\n // , DvcMacAddr\n , DvcOriginalAction\n , DvcOs\n , DvcOsVersion\n // , DvcScope\n // , DvcScopeId\n // , DvcZone\n // , EmailMessageId\n // , EmailSubject\n , EventCount\n , EventEndTime\n , EventMessage\n , EventOriginalSeverity\n , EventOriginalSubType\n , EventOriginalType\n , EventOriginalUid\n // , EventOwner\n , EventProduct\n , EventProductVersion\n , EventReportUrl\n //, EventResult\n , EventSchema\n , EventSchemaVersion\n , EventSeverity\n , EventStartTime\n , EventSubType\n , EventType\n , EventUid\n , EventVendor\n //, FileMD5\n , FileName\n , FilePath\n , FileSHA1\n , FileSHA256\n //, FileSize\n , Hostname\n //, IndicatorAssociation\n , IndicatorType\n , IpAddr\n //, OriginalUserType\n , ProcessCommandLine\n //, ProcessFileCompany\n , ProcessId\n , ProcessName\n // , RegistryKey\n // , RegistryValue\n // , RegistryValueData\n // , RegistryValueType\n , Rule\n , RuleDescription\n , RuleName\n , RuleNumber\n //, ThreatCategory\n , ThreatConfidence\n // , ThreatFirstReportedTime\n // , ThreatId\n // , ThreatIsActive\n // , ThreatLastReportedTime\n , ThreatName\n // , ThreatOriginalCategory\n , ThreatOriginalConfidence\n , ThreatOriginalRiskLevel\n , ThreatRiskLevel\n // , Url\n , User\n , UserId\n , UserIdType\n , Username\n , UsernameType\n // , UserScope\n // , UserScopeId\n // , UserSessionId\n // , UserType\n};\nparser(\n pack=pack,\n disabled=disabled\n)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False,pack:bool=False"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md
new file mode 100644
index 00000000000..7908bc5a975
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md
@@ -0,0 +1,21 @@
+# CrowdStrike Falcon ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for CrowdStrike Falcon.
+
+This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+For the changelog, see:
+- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventCrowdStrikeFalcon%2FASimAlertEventCrowdStrikeFalcon.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventCrowdStrikeFalcon%2FASimAlertEventCrowdStrikeFalcon.json)
diff --git a/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
index 116a6320df8..0e49a03e95a 100644
--- a/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
+++ b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
@@ -78,6 +78,26 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimAlertEventCrowdStrikeFalcon",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@@ -198,6 +218,26 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimAlertEventCrowdStrikeFalcon",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
index f27cd3a9228..49ea065a2a6 100644
--- a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
+++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
@@ -27,7 +27,7 @@
"displayName": "Alert Event ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imAlertEvent",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventBitdefenderGravityZone (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),\n vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventBitdefenderGravityZone (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),\n vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),\n vimAlertEventCrowdStrikeFalcon (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),pack:bool=False"
}
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md
new file mode 100644
index 00000000000..8aa906f8192
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md
@@ -0,0 +1,21 @@
+# CrowdStrike Falcon ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for CrowdStrike Falcon.
+
+This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+For the changelog, see:
+- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventCrowdStrikeFalcon%2FvimAlertEventCrowdStrikeFalcon.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventCrowdStrikeFalcon%2FvimAlertEventCrowdStrikeFalcon.json)
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json
new file mode 100644
index 00000000000..3e10b50a1d7
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json
@@ -0,0 +1,36 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "[concat(parameters('Workspace'), '/vimAlertEventCrowdStrikeFalcon')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "properties": {
+ "etag": "*",
+ "displayName": "Alert Event ASIM parser for CrowdStrike Falcon",
+ "category": "ASIM",
+ "FunctionAlias": "vimAlertEventCrowdStrikeFalcon",
+ "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false,\n pack: bool=false\n){\n CrowdStrikeDetections\n | where not(disabled)\n | where (isnull(starttime) or CreatedTimestamp >= starttime)\n and (isnull(endtime) or CreatedTimestamp <= endtime)\n | where ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Device.local_ip, ipaddr_has_any_prefix))\n | where ((array_length(hostname_has_any) == 0) or Device.hostname has_any (hostname_has_any))\n // The tactics & techniques also include CrowdStrike pseudo-values (CS-prefixed), these are filtered out later\n | where ((array_length(attacktactics_has_any) == 0) or Tactic has_any (attacktactics_has_any) or TacticId has_any (attacktactics_has_any))\n | where ((array_length(attacktechniques_has_any) == 0) or Technique has_any (attacktechniques_has_any) or TechniqueId has_any (attacktechniques_has_any))\n | where (array_length(threatcategory_has_any) == 0) //Parser does not support ThreatCategory\n | where (array_length(alertverdict_has_any) == 0) //Parser does not support AlertVerdict\n | extend\n EventCount = int(1),\n EventEndTime = CreatedTimestamp,\n EventType = \"Alert\",\n EventProduct = \"Falcon\",\n EventVendor = \"CrowdStrike\",\n EventSchema = \"AlertEvent\",\n EventSchemaVersion = \"0.1\",\n DvcIpAddr = tostring(Device.local_ip),\n DvcHostname = tostring(Device.hostname),\n DvcDomain = tostring(Device.hostinfo.domain),\n DvcDomainType = iif(isnotempty(Device.hostinfo.domain), \"FQDN\", \"\"),\n DvcId = tostring(Device.device_id),\n DvcIdType = iff(isnotempty(Device.device_id), \"Other\", \"\"),\n EventProductVersion = tostring(Device.agent_version),\n DvcOs = tostring(Device.platform_name),\n DvcOsVersion = extract(@\"([\\d\\.]+)\", 1, tostring(Device.os_version))\n | project-rename\n EventStartTime = CreatedTimestamp,\n EventOriginalUid = Id,\n EventMessage = Description,\n EventOriginalSeverity = SeverityName,\n EventOriginalSubType = Scenario,\n EventOriginalType = DetectionType,\n EventReportUrl = FalconHostLink,\n DvcOriginalAction = PatternDispositionDescription\n | extend\n AlertId = EventOriginalUid,\n EventUid = _ItemId,\n AlertDescription = EventMessage,\n AlertStatus = iif(\n Status in (\"new\", \"in_progress\"), \"Active\",\n \"Closed\"\n ),\n DetectionMethod = case(\n Objective == \"Falcon Detection Method\" and (\n Name contains_cs \"Policy\"\n or Name contains_cs \"CustomTemplate\"\n or Name has_cs \"CustomerIOC\"\n ), \"User Defined Blocked List\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType == \"intel_detection\", \"Threat Intelligence\",\n Objective == \"Falcon Detection Method\" and EventOriginalSubType in (\"NGAV\", \"known_malware\", \"\"), \"Antivirus\",\n \"EDR\"\n ),\n EventSeverity = case(\n EventOriginalSeverity in (\"High\", \"Critical\"), \"High\",\n EventOriginalSeverity == \"Medium\", \"Medium\",\n EventOriginalSeverity == \"Low\", \"Low\",\n \"Informational\"\n ),\n EventSubType = iif(EventOriginalSubType == \"suspicious_activity\", \"Suspicious Activity\", \"Threat\"),\n Rule = Name,\n RuleNumber = toint(MitreAttack[0].pattern_id),\n RuleName = Name,\n RuleDescription = EventMessage,\n ThreatName = tostring(IocContext[0].ioc_value),\n IndicatorType = case(\n IocContext[0].ioc_type in (\"ipv4\", \"ipv6\"), \"Ip\",\n // IocContext[0].ioc_type == \"\", \"User\",\n // IocContext[0].ioc_type == \"\", \"Process\",\n // IocContext[0].ioc_type == \"\", \"Registry\",\n // IocContext[0].ioc_type == \"\", \"Url\",\n IocContext[0].ioc_type == \"domain\", \"Host\",\n // IocContext[0].ioc_type == \"\", \"Cloud Resource\",\n // IocContext[0].ioc_type == \"\", \"Application\",\n IocContext[0].ioc_type in (\"hash_sha256\"), \"File\",\n // IocContext[0].ioc_type == \"\", \"Email\",\n // IocContext[0].ioc_type == \"\", \"Mailbox\",\n // IocContext[0].ioc_type == \"\", \"Logon Session\",\n \"\"\n ),\n AttackTactics = iif(TacticId startswith_cs \"TA\", Tactic, \"\"),\n AttackTechniques = iif(TechniqueId startswith_cs \"T\", strcat(Technique, \" (\", TechniqueId, \")\"), \"\"),\n ThreatOriginalRiskLevel = tostring(Severity),\n ThreatOriginalConfidence = tostring(Confidence),\n UserIdType = case(\n isnotempty(UserId) and UserId startswith_cs \"S-\", \"SID\",\n isnotempty(UserId), \"Other\",\n \"\"\n ),\n Username = coalesce(UserPrincipal, UserName),\n FileName = Filename,\n FilePath = Filepath,\n FileSHA1 = Sha1,\n FileSHA256 = Sha256\n | where ((array_length(username_has_any) == 0) or Username has_any (username_has_any))\n | where ((array_length(attacktactics_has_any) == 0) or AttackTactics has_any (attacktactics_has_any))\n | where ((array_length(attacktechniques_has_any) == 0) or AttackTechniques has_any (attacktechniques_has_any))\n | where ((array_length(eventseverity_has_any) == 0) or EventSeverity has_any (eventseverity_has_any))\n | project-rename\n AlertName = Name,\n AlertOriginalStatus = Status,\n ThreatRiskLevel = Severity,\n ThreatConfidence = Confidence,\n ProcessCommandLine = Cmdline,\n ProcessName = Filename\n | extend\n UsernameType = case(\n Username contains \"@\", \"UPN\",\n isnotempty(Username), \"Simple\",\n \"\"\n ),\n User = Username,\n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n AdditionalFields = iif(\n pack, bag_pack(\n \"Device\", Device,\n \"GlobalPrevalence\", GlobalPrevalence,\n \"GrandparentDetails\", GrandparentDetails,\n \"LocalPrevalence\", LocalPrevalence,\n \"ParentDetails\", ParentDetails,\n \"PatternDispositionDetails\", PatternDispositionDetails,\n \"Objective\", Objective\n ),\n dynamic(null)\n )\n | project\n TimeGenerated\n , Type\n , AdditionalFields\n , AlertDescription\n , AlertId\n , AlertName\n , AlertOriginalStatus\n , AlertStatus\n // , AlertVerdict\n // , AttackRemediationSteps\n , AttackTactics\n , AttackTechniques\n , DetectionMethod\n // , DvcAction\n // , DvcDescription\n , DvcDomain\n , DvcDomainType\n // , DvcFQDN\n , DvcHostname\n , DvcId\n , DvcIdType\n // , DvcInterface\n , DvcIpAddr\n // , DvcMacAddr\n , DvcOriginalAction\n , DvcOs\n , DvcOsVersion\n // , DvcScope\n // , DvcScopeId\n // , DvcZone\n // , EmailMessageId\n // , EmailSubject\n , EventCount\n , EventEndTime\n , EventMessage\n , EventOriginalSeverity\n , EventOriginalSubType\n , EventOriginalType\n , EventOriginalUid\n // , EventOwner\n , EventProduct\n , EventProductVersion\n , EventReportUrl\n //, EventResult\n , EventSchema\n , EventSchemaVersion\n , EventSeverity\n , EventStartTime\n , EventSubType\n , EventType\n , EventUid\n , EventVendor\n //, FileMD5\n , FileName\n , FilePath\n , FileSHA1\n , FileSHA256\n //, FileSize\n , Hostname\n //, IndicatorAssociation\n , IndicatorType\n , IpAddr\n //, OriginalUserType\n , ProcessCommandLine\n //, ProcessFileCompany\n , ProcessId\n , ProcessName\n // , RegistryKey\n // , RegistryValue\n // , RegistryValueData\n // , RegistryValueType\n , Rule\n , RuleDescription\n , RuleName\n , RuleNumber\n //, ThreatCategory\n , ThreatConfidence\n // , ThreatFirstReportedTime\n // , ThreatId\n // , ThreatIsActive\n // , ThreatLastReportedTime\n , ThreatName\n // , ThreatOriginalCategory\n , ThreatOriginalConfidence\n , ThreatOriginalRiskLevel\n , ThreatRiskLevel\n // , Url\n , User\n , UserId\n , UserIdType\n , Username\n , UsernameType\n // , UserScope\n // , UserScopeId\n // , UserSessionId\n // , UserType\n};\nparser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n pack=pack,\n disabled=disabled\n)",
+ "version": 1,
+ "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
index ea83ef1b344..397deedf1d0 100644
--- a/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
+++ b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
@@ -1,5 +1,9 @@
# Changelog for ASimAlertEvent.yaml
+## Version 0.1.4
+
+- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488)
+
## Version 0.1.3
- (2026-06-04) Palo Alto XDR - AlertEvent ASIM Parser - [PR #14401](https://github.com/Azure/Azure-Sentinel/pull/14401)
diff --git a/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md
new file mode 100644
index 00000000000..795236415de
--- /dev/null
+++ b/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md
@@ -0,0 +1,5 @@
+# Changelog for ASimAlertEventCrowdStrikeFalcon.yaml
+
+## Version 0.1.0
+
+- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488)
diff --git a/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md b/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
index 638cc76d24a..5ab1e6e7785 100644
--- a/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
+++ b/Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
@@ -1,5 +1,9 @@
# Changelog for imAlertEvent.yaml
+## Version 0.1.4
+
+- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488)
+
## Version 0.1.3
- (2026-06-04) Palo Alto XDR - AlertEvent ASIM Parser - [PR #14401](https://github.com/Azure/Azure-Sentinel/pull/14401)
diff --git a/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md b/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md
new file mode 100644
index 00000000000..7f4b3cf431c
--- /dev/null
+++ b/Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md
@@ -0,0 +1,5 @@
+# Changelog for vimAlertEventCrowdStrikeFalcon.yaml
+
+## Version 0.1.0
+
+- (2026-06-16) CrowdStrike Falcon - AlertEvent ASIM Parser - [PR #14488](https://github.com/Azure/Azure-Sentinel/pull/14488)
diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
index 025da4f35e0..20d1946bbf0 100644
--- a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
+++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Alert Event ASIM parser
- Version: '0.1.3'
- LastUpdated: Jun 03, 2026
+ Version: '0.1.4'
+ LastUpdated: Jun 16, 2026
Product:
Name: Source agnostic
Normalization:
@@ -23,6 +23,7 @@ Parsers:
- _ASim_AlertEvent_SentinelOneSingularity
- _ASim_AlertEvent_CiscoSecureEndpoint
- _ASim_AlertEvent_PaloAltoXDR
+ - _ASim_AlertEvent_CrowdStrikeFalcon
ParserParams:
- Name: pack
Type: bool
@@ -37,6 +38,7 @@ ParserQuery: |
ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),
ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),
ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),
- ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)
+ ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),
+ ASimAlertEventCrowdStrikeFalcon (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)
};
parser (pack=pack)
diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml
new file mode 100644
index 00000000000..39160118b34
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml
@@ -0,0 +1,247 @@
+Parser:
+ Title: Alert Event ASIM parser for CrowdStrike Falcon
+ Version: "0.1.0"
+ LastUpdated: Jun 16, 2026
+Product:
+ Name: CrowdStrike Falcon
+Normalization:
+ Schema: AlertEvent
+ Version: "0.1"
+References:
+ - Title: ASIM Alert Schema
+ Link: https://aka.ms/ASimAlertEventDoc
+ - Title: ASIM
+ Link: https://aka.ms/AboutASIM
+Description: |
+ This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+ParserName: ASimAlertEventCrowdStrikeFalcon
+EquivalentBuiltInParser: _ASim_AlertEvent_CrowdStrikeFalcon
+ParserParams:
+ - Name: disabled
+ Type: bool
+ Default: false
+ - Name: pack
+ Type: bool
+ Default: false
+ParserQuery: |
+ let parser = (
+ disabled: bool=false,
+ pack: bool=false
+ ){
+ CrowdStrikeDetections
+ | where not(disabled)
+ | extend
+ EventCount = int(1),
+ EventEndTime = CreatedTimestamp,
+ EventType = "Alert",
+ EventProduct = "Falcon",
+ EventVendor = "CrowdStrike",
+ EventSchema = "AlertEvent",
+ EventSchemaVersion = "0.1",
+ DvcIpAddr = tostring(Device.local_ip),
+ DvcHostname = tostring(Device.hostname),
+ DvcDomain = tostring(Device.hostinfo.domain),
+ DvcDomainType = iif(isnotempty(Device.hostinfo.domain), "FQDN", ""),
+ DvcId = tostring(Device.device_id),
+ DvcIdType = iff(isnotempty(Device.device_id), "Other", ""),
+ EventProductVersion = tostring(Device.agent_version),
+ DvcOs = tostring(Device.platform_name),
+ DvcOsVersion = extract(@"([\d\.]+)", 1, tostring(Device.os_version))
+ | project-rename
+ EventStartTime = CreatedTimestamp,
+ EventOriginalUid = Id,
+ EventMessage = Description,
+ EventOriginalSeverity = SeverityName,
+ EventOriginalSubType = Scenario,
+ EventOriginalType = DetectionType,
+ EventReportUrl = FalconHostLink,
+ DvcOriginalAction = PatternDispositionDescription
+ | extend
+ AlertId = EventOriginalUid,
+ EventUid = _ItemId,
+ AlertDescription = EventMessage,
+ AlertStatus = iif(
+ Status in ("new", "in_progress"), "Active",
+ "Closed"
+ ),
+ DetectionMethod = case(
+ Objective == "Falcon Detection Method" and (
+ Name contains_cs "Policy"
+ or Name contains_cs "CustomTemplate"
+ or Name has_cs "CustomerIOC"
+ ), "User Defined Blocked List",
+ Objective == "Falcon Detection Method" and EventOriginalSubType == "intel_detection", "Threat Intelligence",
+ Objective == "Falcon Detection Method" and EventOriginalSubType in ("NGAV", "known_malware", ""), "Antivirus",
+ "EDR"
+ ),
+ EventSeverity = case(
+ EventOriginalSeverity in ("High", "Critical"), "High",
+ EventOriginalSeverity == "Medium", "Medium",
+ EventOriginalSeverity == "Low", "Low",
+ "Informational"
+ ),
+ EventSubType = iif(EventOriginalSubType == "suspicious_activity", "Suspicious Activity", "Threat"),
+ Rule = Name,
+ RuleNumber = toint(MitreAttack[0].pattern_id),
+ RuleName = Name,
+ RuleDescription = EventMessage,
+ ThreatName = tostring(IocContext[0].ioc_value),
+ IndicatorType = case(
+ IocContext[0].ioc_type in ("ipv4", "ipv6"), "Ip",
+ // IocContext[0].ioc_type == "", "User",
+ // IocContext[0].ioc_type == "", "Process",
+ // IocContext[0].ioc_type == "", "Registry",
+ // IocContext[0].ioc_type == "", "Url",
+ IocContext[0].ioc_type == "domain", "Host",
+ // IocContext[0].ioc_type == "", "Cloud Resource",
+ // IocContext[0].ioc_type == "", "Application",
+ IocContext[0].ioc_type in ("hash_sha256"), "File",
+ // IocContext[0].ioc_type == "", "Email",
+ // IocContext[0].ioc_type == "", "Mailbox",
+ // IocContext[0].ioc_type == "", "Logon Session",
+ ""
+ ),
+ AttackTactics = iif(TacticId startswith_cs "TA", Tactic, ""),
+ AttackTechniques = iif(TechniqueId startswith_cs "T", strcat(Technique, " (", TechniqueId, ")"), ""),
+ ThreatOriginalRiskLevel = tostring(Severity),
+ ThreatOriginalConfidence = tostring(Confidence),
+ UserIdType = case(
+ isnotempty(UserId) and UserId startswith_cs "S-", "SID",
+ isnotempty(UserId), "Other",
+ ""
+ ),
+ Username = coalesce(UserPrincipal, UserName),
+ FileName = Filename,
+ FilePath = Filepath,
+ FileSHA1 = Sha1,
+ FileSHA256 = Sha256
+ | project-rename
+ AlertName = Name,
+ AlertOriginalStatus = Status,
+ ThreatRiskLevel = Severity,
+ ThreatConfidence = Confidence,
+ ProcessCommandLine = Cmdline,
+ ProcessName = Filename
+ | extend
+ UsernameType = case(
+ Username contains "@", "UPN",
+ isnotempty(Username), "Simple",
+ ""
+ ),
+ User = Username,
+ IpAddr = DvcIpAddr,
+ Hostname = DvcHostname,
+ AdditionalFields = iif(
+ pack, bag_pack(
+ "Device", Device,
+ "GlobalPrevalence", GlobalPrevalence,
+ "GrandparentDetails", GrandparentDetails,
+ "LocalPrevalence", LocalPrevalence,
+ "ParentDetails", ParentDetails,
+ "PatternDispositionDetails", PatternDispositionDetails,
+ "Objective", Objective
+ ),
+ dynamic(null)
+ )
+ | project
+ TimeGenerated
+ , Type
+ , AdditionalFields
+ , AlertDescription
+ , AlertId
+ , AlertName
+ , AlertOriginalStatus
+ , AlertStatus
+ // , AlertVerdict
+ // , AttackRemediationSteps
+ , AttackTactics
+ , AttackTechniques
+ , DetectionMethod
+ // , DvcAction
+ // , DvcDescription
+ , DvcDomain
+ , DvcDomainType
+ // , DvcFQDN
+ , DvcHostname
+ , DvcId
+ , DvcIdType
+ // , DvcInterface
+ , DvcIpAddr
+ // , DvcMacAddr
+ , DvcOriginalAction
+ , DvcOs
+ , DvcOsVersion
+ // , DvcScope
+ // , DvcScopeId
+ // , DvcZone
+ // , EmailMessageId
+ // , EmailSubject
+ , EventCount
+ , EventEndTime
+ , EventMessage
+ , EventOriginalSeverity
+ , EventOriginalSubType
+ , EventOriginalType
+ , EventOriginalUid
+ // , EventOwner
+ , EventProduct
+ , EventProductVersion
+ , EventReportUrl
+ //, EventResult
+ , EventSchema
+ , EventSchemaVersion
+ , EventSeverity
+ , EventStartTime
+ , EventSubType
+ , EventType
+ , EventUid
+ , EventVendor
+ //, FileMD5
+ , FileName
+ , FilePath
+ , FileSHA1
+ , FileSHA256
+ //, FileSize
+ , Hostname
+ //, IndicatorAssociation
+ , IndicatorType
+ , IpAddr
+ //, OriginalUserType
+ , ProcessCommandLine
+ //, ProcessFileCompany
+ , ProcessId
+ , ProcessName
+ // , RegistryKey
+ // , RegistryValue
+ // , RegistryValueData
+ // , RegistryValueType
+ , Rule
+ , RuleDescription
+ , RuleName
+ , RuleNumber
+ //, ThreatCategory
+ , ThreatConfidence
+ // , ThreatFirstReportedTime
+ // , ThreatId
+ // , ThreatIsActive
+ // , ThreatLastReportedTime
+ , ThreatName
+ // , ThreatOriginalCategory
+ , ThreatOriginalConfidence
+ , ThreatOriginalRiskLevel
+ , ThreatRiskLevel
+ // , Url
+ , User
+ , UserId
+ , UserIdType
+ , Username
+ , UsernameType
+ // , UserScope
+ // , UserScopeId
+ // , UserSessionId
+ // , UserType
+ };
+ parser(
+ pack=pack,
+ disabled=disabled
+ )
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
index 67b66f60b4d..488308f2846 100644
--- a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
+++ b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Alert Event ASIM filtering parser
- Version: '0.1.3'
- LastUpdated: Jun 03, 2026
+ Version: '0.1.4'
+ LastUpdated: Jun 16, 2026
Product:
Name: Source agnostic
Normalization:
@@ -23,6 +23,7 @@ Parsers:
- _Im_AlertEvent_SentinelOneSingularity
- _Im_AlertEvent_CiscoSecureEndpoint
- _Im_AlertEvent_PaloAltoXDR
+ - _Im_AlertEvent_CrowdStrikeFalcon
ParserParams:
- Name: starttime
Type: datetime
@@ -79,6 +80,7 @@ ParserQuery: |
vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),
vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),
vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),
- vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)
+ vimAlertEventPaloAltoXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),
+ vimAlertEventCrowdStrikeFalcon (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)
};
parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)
diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml
new file mode 100644
index 00000000000..8faffb615b8
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml
@@ -0,0 +1,310 @@
+Parser:
+ Title: Alert Event ASIM parser for CrowdStrike Falcon
+ Version: "0.1.0"
+ LastUpdated: Jun 16, 2026
+Product:
+ Name: CrowdStrike Falcon
+Normalization:
+ Schema: AlertEvent
+ Version: "0.1"
+References:
+ - Title: ASIM Alert Schema
+ Link: https://aka.ms/ASimAlertEventDoc
+ - Title: ASIM
+ Link: https://aka.ms/AboutASIM
+Description: |
+ This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+ParserName: vimAlertEventCrowdStrikeFalcon
+EquivalentBuiltInParser: _Im_AlertEvent_CrowdStrikeFalcon
+ParserParams:
+ - Name: starttime
+ Type: datetime
+ Default: datetime(null)
+ - Name: endtime
+ Type: datetime
+ Default: datetime(null)
+ - Name: ipaddr_has_any_prefix
+ Type: dynamic
+ Default: dynamic([])
+ - Name: hostname_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: username_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: attacktactics_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: attacktechniques_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: threatcategory_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: alertverdict_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: eventseverity_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: disabled
+ Type: bool
+ Default: false
+ - Name: pack
+ Type: bool
+ Default: false
+ParserQuery: |
+ let parser = (
+ starttime: datetime=datetime(null),
+ endtime: datetime=datetime(null),
+ ipaddr_has_any_prefix: dynamic=dynamic([]),
+ hostname_has_any: dynamic=dynamic([]),
+ username_has_any: dynamic=dynamic([]),
+ attacktactics_has_any: dynamic=dynamic([]),
+ attacktechniques_has_any: dynamic=dynamic([]),
+ threatcategory_has_any: dynamic=dynamic([]),
+ alertverdict_has_any: dynamic=dynamic([]),
+ eventseverity_has_any: dynamic=dynamic([]),
+ disabled: bool=false,
+ pack: bool=false
+ ){
+ CrowdStrikeDetections
+ | where not(disabled)
+ | where (isnull(starttime) or CreatedTimestamp >= starttime)
+ and (isnull(endtime) or CreatedTimestamp <= endtime)
+ | where ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Device.local_ip, ipaddr_has_any_prefix))
+ | where ((array_length(hostname_has_any) == 0) or Device.hostname has_any (hostname_has_any))
+ // The tactics & techniques also include CrowdStrike pseudo-values (CS-prefixed), these are filtered out later
+ | where ((array_length(attacktactics_has_any) == 0) or Tactic has_any (attacktactics_has_any) or TacticId has_any (attacktactics_has_any))
+ | where ((array_length(attacktechniques_has_any) == 0) or Technique has_any (attacktechniques_has_any) or TechniqueId has_any (attacktechniques_has_any))
+ | where (array_length(threatcategory_has_any) == 0) //Parser does not support ThreatCategory
+ | where (array_length(alertverdict_has_any) == 0) //Parser does not support AlertVerdict
+ | extend
+ EventCount = int(1),
+ EventEndTime = CreatedTimestamp,
+ EventType = "Alert",
+ EventProduct = "Falcon",
+ EventVendor = "CrowdStrike",
+ EventSchema = "AlertEvent",
+ EventSchemaVersion = "0.1",
+ DvcIpAddr = tostring(Device.local_ip),
+ DvcHostname = tostring(Device.hostname),
+ DvcDomain = tostring(Device.hostinfo.domain),
+ DvcDomainType = iif(isnotempty(Device.hostinfo.domain), "FQDN", ""),
+ DvcId = tostring(Device.device_id),
+ DvcIdType = iff(isnotempty(Device.device_id), "Other", ""),
+ EventProductVersion = tostring(Device.agent_version),
+ DvcOs = tostring(Device.platform_name),
+ DvcOsVersion = extract(@"([\d\.]+)", 1, tostring(Device.os_version))
+ | project-rename
+ EventStartTime = CreatedTimestamp,
+ EventOriginalUid = Id,
+ EventMessage = Description,
+ EventOriginalSeverity = SeverityName,
+ EventOriginalSubType = Scenario,
+ EventOriginalType = DetectionType,
+ EventReportUrl = FalconHostLink,
+ DvcOriginalAction = PatternDispositionDescription
+ | extend
+ AlertId = EventOriginalUid,
+ EventUid = _ItemId,
+ AlertDescription = EventMessage,
+ AlertStatus = iif(
+ Status in ("new", "in_progress"), "Active",
+ "Closed"
+ ),
+ DetectionMethod = case(
+ Objective == "Falcon Detection Method" and (
+ Name contains_cs "Policy"
+ or Name contains_cs "CustomTemplate"
+ or Name has_cs "CustomerIOC"
+ ), "User Defined Blocked List",
+ Objective == "Falcon Detection Method" and EventOriginalSubType == "intel_detection", "Threat Intelligence",
+ Objective == "Falcon Detection Method" and EventOriginalSubType in ("NGAV", "known_malware", ""), "Antivirus",
+ "EDR"
+ ),
+ EventSeverity = case(
+ EventOriginalSeverity in ("High", "Critical"), "High",
+ EventOriginalSeverity == "Medium", "Medium",
+ EventOriginalSeverity == "Low", "Low",
+ "Informational"
+ ),
+ EventSubType = iif(EventOriginalSubType == "suspicious_activity", "Suspicious Activity", "Threat"),
+ Rule = Name,
+ RuleNumber = toint(MitreAttack[0].pattern_id),
+ RuleName = Name,
+ RuleDescription = EventMessage,
+ ThreatName = tostring(IocContext[0].ioc_value),
+ IndicatorType = case(
+ IocContext[0].ioc_type in ("ipv4", "ipv6"), "Ip",
+ // IocContext[0].ioc_type == "", "User",
+ // IocContext[0].ioc_type == "", "Process",
+ // IocContext[0].ioc_type == "", "Registry",
+ // IocContext[0].ioc_type == "", "Url",
+ IocContext[0].ioc_type == "domain", "Host",
+ // IocContext[0].ioc_type == "", "Cloud Resource",
+ // IocContext[0].ioc_type == "", "Application",
+ IocContext[0].ioc_type in ("hash_sha256"), "File",
+ // IocContext[0].ioc_type == "", "Email",
+ // IocContext[0].ioc_type == "", "Mailbox",
+ // IocContext[0].ioc_type == "", "Logon Session",
+ ""
+ ),
+ AttackTactics = iif(TacticId startswith_cs "TA", Tactic, ""),
+ AttackTechniques = iif(TechniqueId startswith_cs "T", strcat(Technique, " (", TechniqueId, ")"), ""),
+ ThreatOriginalRiskLevel = tostring(Severity),
+ ThreatOriginalConfidence = tostring(Confidence),
+ UserIdType = case(
+ isnotempty(UserId) and UserId startswith_cs "S-", "SID",
+ isnotempty(UserId), "Other",
+ ""
+ ),
+ Username = coalesce(UserPrincipal, UserName),
+ FileName = Filename,
+ FilePath = Filepath,
+ FileSHA1 = Sha1,
+ FileSHA256 = Sha256
+ | where ((array_length(username_has_any) == 0) or Username has_any (username_has_any))
+ | where ((array_length(attacktactics_has_any) == 0) or AttackTactics has_any (attacktactics_has_any))
+ | where ((array_length(attacktechniques_has_any) == 0) or AttackTechniques has_any (attacktechniques_has_any))
+ | where ((array_length(eventseverity_has_any) == 0) or EventSeverity has_any (eventseverity_has_any))
+ | project-rename
+ AlertName = Name,
+ AlertOriginalStatus = Status,
+ ThreatRiskLevel = Severity,
+ ThreatConfidence = Confidence,
+ ProcessCommandLine = Cmdline,
+ ProcessName = Filename
+ | extend
+ UsernameType = case(
+ Username contains "@", "UPN",
+ isnotempty(Username), "Simple",
+ ""
+ ),
+ User = Username,
+ IpAddr = DvcIpAddr,
+ Hostname = DvcHostname,
+ AdditionalFields = iif(
+ pack, bag_pack(
+ "Device", Device,
+ "GlobalPrevalence", GlobalPrevalence,
+ "GrandparentDetails", GrandparentDetails,
+ "LocalPrevalence", LocalPrevalence,
+ "ParentDetails", ParentDetails,
+ "PatternDispositionDetails", PatternDispositionDetails,
+ "Objective", Objective
+ ),
+ dynamic(null)
+ )
+ | project
+ TimeGenerated
+ , Type
+ , AdditionalFields
+ , AlertDescription
+ , AlertId
+ , AlertName
+ , AlertOriginalStatus
+ , AlertStatus
+ // , AlertVerdict
+ // , AttackRemediationSteps
+ , AttackTactics
+ , AttackTechniques
+ , DetectionMethod
+ // , DvcAction
+ // , DvcDescription
+ , DvcDomain
+ , DvcDomainType
+ // , DvcFQDN
+ , DvcHostname
+ , DvcId
+ , DvcIdType
+ // , DvcInterface
+ , DvcIpAddr
+ // , DvcMacAddr
+ , DvcOriginalAction
+ , DvcOs
+ , DvcOsVersion
+ // , DvcScope
+ // , DvcScopeId
+ // , DvcZone
+ // , EmailMessageId
+ // , EmailSubject
+ , EventCount
+ , EventEndTime
+ , EventMessage
+ , EventOriginalSeverity
+ , EventOriginalSubType
+ , EventOriginalType
+ , EventOriginalUid
+ // , EventOwner
+ , EventProduct
+ , EventProductVersion
+ , EventReportUrl
+ //, EventResult
+ , EventSchema
+ , EventSchemaVersion
+ , EventSeverity
+ , EventStartTime
+ , EventSubType
+ , EventType
+ , EventUid
+ , EventVendor
+ //, FileMD5
+ , FileName
+ , FilePath
+ , FileSHA1
+ , FileSHA256
+ //, FileSize
+ , Hostname
+ //, IndicatorAssociation
+ , IndicatorType
+ , IpAddr
+ //, OriginalUserType
+ , ProcessCommandLine
+ //, ProcessFileCompany
+ , ProcessId
+ , ProcessName
+ // , RegistryKey
+ // , RegistryValue
+ // , RegistryValueData
+ // , RegistryValueType
+ , Rule
+ , RuleDescription
+ , RuleName
+ , RuleNumber
+ //, ThreatCategory
+ , ThreatConfidence
+ // , ThreatFirstReportedTime
+ // , ThreatId
+ // , ThreatIsActive
+ // , ThreatLastReportedTime
+ , ThreatName
+ // , ThreatOriginalCategory
+ , ThreatOriginalConfidence
+ , ThreatOriginalRiskLevel
+ , ThreatRiskLevel
+ // , Url
+ , User
+ , UserId
+ , UserIdType
+ , Username
+ , UsernameType
+ // , UserScope
+ // , UserScopeId
+ // , UserSessionId
+ // , UserType
+ };
+ parser(
+ starttime = starttime,
+ endtime = endtime,
+ ipaddr_has_any_prefix = ipaddr_has_any_prefix,
+ hostname_has_any = hostname_has_any,
+ username_has_any = username_has_any,
+ attacktactics_has_any = attacktactics_has_any,
+ attacktechniques_has_any = attacktechniques_has_any,
+ threatcategory_has_any = threatcategory_has_any,
+ alertverdict_has_any = alertverdict_has_any,
+ eventseverity_has_any = eventseverity_has_any,
+ pack=pack,
+ disabled=disabled
+ )
\ No newline at end of file
diff --git a/Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv b/Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv
new file mode 100644
index 00000000000..89ff42e9153
--- /dev/null
+++ b/Sample Data/ASIM/CrowdStrike_Falcon_AlertEvent_IngestedLogs.csv
@@ -0,0 +1,26 @@
+TenantId,"TimeGenerated [UTC]",AdversaryIds,Behaviors,BehaviorsProcessed,"CreatedTimestamp [UTC]",DateUpdated,DetectionId,"FirstBehavior [UTC]",HostInfo,"LastBehavior [UTC]",MaxConfidence,MaxSeverity,MaxSeverityDisplayName,OverwatchNotes,AgentScanId,"UpdatedTimestamp [UTC]",EmailSent,SecondsToResolved,SecondsToTriaged,ShowInUi,Status,AllegedFiletype,ChildProcessIds,CloudIndicator,Cmdline,DetectionContext,Device,FalconHostLink,Filename,Filepath,GlobalPrevalence,GrandparentDetails,Incident,IndicatorId,IocContext,LocalPrevalence,LocalProcessId,LogonDomain,Md5,NetworkAccesses,OsName,ParentDetails,ParentProcessId,PatternDisposition,PatternDispositionDescription,PatternDispositionDetails,ProcessEndTime,ProcessId,ProcessStartTime,Quarantined,QuarantinedFiles,ScanId,Sha256,Sha1,TemplateInstanceId,TemplateInterfaceId,TemplateInterfaceName,TreeId,TreeRoot,TriggeringProcessGraphId,DetectionType,UserId,UserName,UserPrincipal,AssignedToName,AssignedToUid,AssignedToUuid,Cid,CompositeId,Confidence,"CrawledTimestamp [UTC]",Description,"EndTime [UTC]",Entities,EntityValues,Id,MitreAttack,Name,References,SourceEventModel,Tactics,TacticIds,Techniques,TechniqueIds,XdrDetectionId,AddedPrivileges,AggregateId,Objective,PolyId,PreviousPrivileges,Privileges,Scenario,Severity,SeverityName,SourceAccountDomain,SourceAccountName,SourceAccountObjectGuid,SourceAccountObjectSid,SourceAccountSamAccountName,SourceAccountUpn,Tactic,Technique,TacticId,TechniqueId,TemplateInstanceIdText,TemplateInterfaceIdText,SourceSystem,Type
+"3187578c-499a-423e-9c9d-af9a55e1b4db","11/06/2026, 08:18:17.083",,,,"11/06/2026, 08:02:23.353",,,,,,,,,,,"11/06/2026, 08:06:23.099",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=1444332",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T18:08:53.2310000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""430277e91d0e4b79a254d543df474365"",""external_ip"":""10.171.6.227"",""first_seen"":""2025-10-06T09:08:40.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406174"",""last_seen"":""2026-06-11T07:31:11.0000000Z"",""local_ip"":""10.202.40.30"",""mac_address"":""af-e7-0f-73-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-11T07:31:51.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""14896"",""md5"":""663fb758a12bf5e237401dc65d9055f0"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:9880320112261"",""process_id"":""9880320112261"",""sha256"":""3bca0a9b2188105643f058c39f0999a92d686f650544124853606d61f77bd883"",""timestamp"":""2026-06-04T17:09:01.6690000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240","[]",common,17308,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe\"" "",""filename"":""Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""local_process_id"":""42868"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:10256759665133"",""process_id"":""10256759665133"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-11T08:03:25.0000000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",10256759665133,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781164862,10256761721621,1781164851,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,725852539520,10256761721621,"pid:430277e91d0e4b79a254d543df474365:10256761721621",ldt,"S-1-5-21-000000000-1431365391-3430335985-68688","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240",100,"11/06/2026, 08:06:23.099","A process triggered an informational severity custom rule.",,,,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56404240","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:430277e91d0e4b79a254d543df474365:725852539520","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGEc0LYh5j54NNFOq9qo--zQAATiFO_PUGAywAH8r4VX51QR3kmB5cVD_90YOOY7bbWbP8JA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","11/06/2026, 08:18:17.083",,,,"11/06/2026, 08:02:23.389",,,,,,,,,,,"11/06/2026, 08:06:23.099",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=1444332",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T18:08:53.2310000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""430277e91d0e4b79a254d543df474365"",""external_ip"":""10.171.6.227"",""first_seen"":""2025-10-06T09:08:40.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406174"",""last_seen"":""2026-06-11T07:31:11.0000000Z"",""local_ip"":""10.202.40.30"",""mac_address"":""af-e7-0f-73-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-11T07:31:51.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""14896"",""md5"":""663fb758a12bf5e237401dc65d9055f0"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:9880320112261"",""process_id"":""9880320112261"",""sha256"":""3bca0a9b2188105643f058c39f0999a92d686f650544124853606d61f77bd883"",""timestamp"":""2026-06-04T17:09:01.6690000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264","[]",common,17308,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe\"" "",""filename"":""Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\AppData\\Local\\Temp\\1\\MicrosoftEdgeDownloads\\3d53650e-bc88-4529-a52a-77587458adf0\\Zoom_cm_fxv8brsf4siz4Z9vvrZo4_mX0lQnwjGHlHnLWaCOxT-anMkX6eEbi9EMhW6@Us6CHVjS6m10iNLn_kb0904a8b391091d6_.exe"",""local_process_id"":""42868"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:430277e91d0e4b79a254d543df474365:10256759665133"",""process_id"":""10256759665133"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-11T08:03:25.0000000Z"",""user_graph_id"":""uid:430277e91d0e4b79a254d543df474365:S-1-5-21-000000000-1431365391-3430335985-68688"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-68688"",""user_name"":""contoso.user""}",10256759665133,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781164862,10256761721621,1781164851,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,725852539520,10256761721621,"pid:430277e91d0e4b79a254d543df474365:10256761721621",ldt,"S-1-5-21-000000000-1431365391-3430335985-68688","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264",100,"11/06/2026, 08:06:23.099","A process triggered an informational severity custom rule.",,,,"ind:430277e91d0e4b79a254d543df474365:10256761721621-41004-56405264","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:430277e91d0e4b79a254d543df474365:725852539520","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGVrneEfMDMf0CvZynZoO2_AAATiFNitjbHowOE4gG2uPz8K_2ZXqzgYrLb7UKkWQAn5E9dA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","11/06/2026, 10:48:17.234",,,,"11/06/2026, 10:44:53.907",,,,,,,,,,,"11/06/2026, 10:44:58.158",true,4,0,true,closed,exe,"[""pid:af77fe7408fd42e5958e8578628dc531:25233157765596"",""pid:af77fe7408fd42e5958e8578628dc531:25233135042951"",""pid:af77fe7408fd42e5958e8578628dc531:25233122170361"",""pid:af77fe7408fd42e5958e8578628dc531:25233123111633"",""pid:af77fe7408fd42e5958e8578628dc531:25233164902524"",""pid:af77fe7408fd42e5958e8578628dc531:25233166787791"",""pid:af77fe7408fd42e5958e8578628dc531:25233180002745"",""pid:af77fe7408fd42e5958e8578628dc531:25233191341566"",""pid:af77fe7408fd42e5958e8578628dc531:25233162917029"",""pid:af77fe7408fd42e5958e8578628dc531:25233204789905"",""pid:af77fe7408fd42e5958e8578628dc531:25233208033264"",""pid:af77fe7408fd42e5958e8578628dc531:25233169213078"",""pid:af77fe7408fd42e5958e8578628dc531:25233170007683"",""pid:af77fe7408fd42e5958e8578628dc531:25236770413747"",""pid:af77fe7408fd42e5958e8578628dc531:25237274828029"",""pid:af77fe7408fd42e5958e8578628dc531:25238611790782"",""pid:af77fe7408fd42e5958e8578628dc531:25239518737581"",""pid:af77fe7408fd42e5958e8578628dc531:25239829024560"",""pid:af77fe7408fd42e5958e8578628dc531:25240090663930"",""pid:af77fe7408fd42e5958e8578628dc531:25240085632967"",""pid:af77fe7408fd42e5958e8578628dc531:25240090112771"",""pid:af77fe7408fd42e5958e8578628dc531:25240981272318"",""pid:af77fe7408fd42e5958e8578628dc531:25241276230919"",""pid:af77fe7408fd42e5958e8578628dc531:25241493298365"",""pid:af77fe7408fd42e5958e8578628dc531:25242034978753"",""pid:af77fe7408fd42e5958e8578628dc531:25242058170705"",""pid:af77fe7408fd42e5958e8578628dc531:25242060059071"",""pid:af77fe7408fd42e5958e8578628dc531:25242826620001"",""pid:af77fe7408fd42e5958e8578628dc531:25242811152656"",""pid:af77fe7408fd42e5958e8578628dc531:25242802913452"",""pid:af77fe7408fd42e5958e8578628dc531:25242613113705"",""pid:af77fe7408fd42e5958e8578628dc531:25242789931150"",""pid:af77fe7408fd42e5958e8578628dc531:25242995594822"",""pid:af77fe7408fd42e5958e8578628dc531:25243010571254"",""pid:af77fe7408fd42e5958e8578628dc531:25243016528285"",""pid:af77fe7408fd42e5958e8578628dc531:25242948618249"",""pid:af77fe7408fd42e5958e8578628dc531:25242982535787"",""pid:af77fe7408fd42e5958e8578628dc531:25243092994131"",""pid:af77fe7408fd42e5958e8578628dc531:25243130940362"",""pid:af77fe7408fd42e5958e8578628dc531:25243207726365"",""pid:af77fe7408fd42e5958e8578628dc531:25243203414811"",""pid:af77fe7408fd42e5958e8578628dc531:25243200530031"",""pid:af77fe7408fd42e5958e8578628dc531:25243209559602"",""pid:af77fe7408fd42e5958e8578628dc531:25243304024583"",""pid:af77fe7408fd42e5958e8578628dc531:25243326385084"",""pid:af77fe7408fd42e5958e8578628dc531:25243306370857"",""pid:af77fe7408fd42e5958e8578628dc531:25243343585541"",""pid:af77fe7408fd42e5958e8578628dc531:25243356132821"",""pid:af77fe7408fd42e5958e8578628dc531:25243328595010"",""pid:af77fe7408fd42e5958e8578628dc531:25243677094635""]",,"""C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-09T10:37:16.7560000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""af77fe7408fd42e5958e8578628dc531"",""external_ip"":""10.0.166.142"",""first_seen"":""2022-12-07T19:30:38.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-403115"",""last_seen"":""2026-06-11T10:31:01.0000000Z"",""local_ip"":""192.168.68.69"",""mac_address"":""af-90-0f-8e-50-08"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-11T10:31:46.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","MsSense.exe","\Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe",common,"{""cmdline"":""wininit.exe"",""filename"":""wininit.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe"",""local_process_id"":""1176"",""md5"":""2cdb35ab7fce9327d8b8ad6a533df34d"",""process_graph_id"":""pid:af77fe7408fd42e5958e8578628dc531:25232941233373"",""process_id"":""25232941233373"",""sha256"":""1f592106643009e028cc583322d91e6895d16e12690178ba0690452516c7b911"",""timestamp"":""2026-06-09T16:37:23.3890000Z"",""user_graph_id"":""uid:af77fe7408fd42e5958e8578628dc531:S-1-5-18"",""user_id"":""S-1-5-18"",""user_name"":""host-403115$""}",,"ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840","[{""ioc_description"":""\\Device\\HarddiskVolume3\\$WINDOWS.~BT\\Work\\12\\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.26100.1_none_a518656df7c165fb\\SenseAP.exe"",""ioc_source"":""file_write"",""ioc_type"":""hash_sha256"",""ioc_value"":""80c698f1202977de82f4bd05728ccebf6b6836423648d684589466372ab23c28"",""sha256"":""80c698f1202977de82f4bd05728ccebf6b6836423648d684589466372ab23c28"",""type"":""module""}]",common,6936,CONTOSO,e01ffaf5cd82220a0fee64ca3dcd5c1d,"[{""access_timestamp"":""1781023049"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""50968"",""protocol"":""TCP"",""remote_address"":""10.179.176.23"",""remote_port"":""135""},{""access_timestamp"":""1781023051"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""50996"",""protocol"":""TCP"",""remote_address"":""72.153.100.13"",""remote_port"":""443""},{""access_timestamp"":""1781023085"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""51091"",""protocol"":""TCP"",""remote_address"":""10.179.176.23"",""remote_port"":""49669""},{""access_timestamp"":""1781023182"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53066"",""protocol"":""TCP"",""remote_address"":""13.89.178.26"",""remote_port"":""443""},{""access_timestamp"":""1781023183"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53069"",""protocol"":""TCP"",""remote_address"":""10.179.176.24"",""remote_port"":""49668""},{""access_timestamp"":""1781023183"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53068"",""protocol"":""TCP"",""remote_address"":""10.179.176.24"",""remote_port"":""135""},{""access_timestamp"":""1781023305"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""53349"",""protocol"":""TCP"",""remote_address"":""52.168.117.171"",""remote_port"":""443""},{""access_timestamp"":""1781023327"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""57645"",""protocol"":""TCP"",""remote_address"":""104.208.16.92"",""remote_port"":""443""},{""access_timestamp"":""1781023447"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""55477"",""protocol"":""TCP"",""remote_address"":""52.168.112.66"",""remote_port"":""443""},{""access_timestamp"":""1781023546"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.6.63"",""local_port"":""50274"",""protocol"":""TCP"",""remote_address"":""52.182.143.210"",""remote_port"":""443""}]",,"{""cmdline"":""C:\\WINDOWS\\system32\\services.exe"",""filename"":""services.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\services.exe"",""local_process_id"":""1252"",""md5"":""9231a3bd3ea5897debe82603f180b862"",""process_graph_id"":""pid:af77fe7408fd42e5958e8578628dc531:25232942625894"",""process_id"":""25232942625894"",""sha256"":""f58b4b4f816d81eb1d1f6b4931e7620f24bb0ad96d576535769fdb56ede8aec2"",""timestamp"":""2026-06-09T16:37:23.3890000Z"",""user_graph_id"":""uid:af77fe7408fd42e5958e8578628dc531:S-1-5-18"",""user_id"":""S-1-5-18"",""user_name"":""host-403115$""}",25232942625894,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",,25233068064868,1781023040,,,,80c698f1202977de82f4bd05728ccebf6b6836423648d684589466372ab23c28,0000000000000000000000000000000000000000,,,,936303458859,25233068064868,"pid:af77fe7408fd42e5958e8578628dc531:25233068064868",ldt,"S-1-5-18","host-403115$","host-403115$@CONTOSO.local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840",70,"11/06/2026, 10:44:53.907","A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.",,,,"ind:af77fe7408fd42e5958e8578628dc531:25233068064868-5733-36173840","[{""pattern_id"":5733,""tactic_id"":""CSTA0004"",""technique_id"":""CST0007"",""tactic"":""Machine Learning"",""technique"":""Sensor-based ML""}]","OnWrite-MLSensor-High",,,,,,,,,"aggind:af77fe7408fd42e5958e8578628dc531:936303458859","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGiOlF-659zFJNQ1wbU_h8mgAATiEVIZyG_M33YiGhbqYd6-tthS4rJerFs-zelmbFhEvGiA==",,,NGAV,70,High,,,,,,,"Machine Learning","Sensor-based ML",CSTA0004,CST0007,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:32:17.684",,,,,,,,,,,"09/06/2026, 15:36:17.231",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=69024",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992","[]",common,18456,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""local_process_id"":""27500"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247671128454"",""process_id"":""9247671128454"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:31:09.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247671128454,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019072,9247672693201,1781019071,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601298876249,9247672693201,"pid:f083f1b0ac7049588ff82226dba61f46:9247672693201",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992",100,"09/06/2026, 15:36:17.231","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22878992","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601298876249","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGc6rwqj7AuTmPpUe8GnH7IwAATiEh6u_2L5S6RWrSclAtTPV3EHTEI0Q9v90U1sE7Y9qDDg==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:32:17.763",,,,,,,,,,,"09/06/2026, 15:36:17.140",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=69024",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760","[]",common,18456,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_mdsX+szAXPZxPHJFQBCuYNM9nBOe2se5GxVGv@SseU3fYq08dP79Lw_kc5af7907ddd940a8_.exe"",""local_process_id"":""27500"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247671128454"",""process_id"":""9247671128454"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:31:09.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247671128454,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019072,9247672693201,1781019071,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601298876249,9247672693201,"pid:f083f1b0ac7049588ff82226dba61f46:9247672693201",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760",100,"09/06/2026, 15:36:17.140","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247672693201-41004-22879760","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601298876249","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG1_pykO7zrKsYR2TSM6NnPQAATiEgzASg3cpZO0DX98gjaUEWC3n9E8Ekroo2DuTKSPT6IQ==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:39:50.131",,,,,,,,,,,"09/06/2026, 15:43:50.125",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=658282",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456","[]",common,27780,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""local_process_id"":""24712"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247766896478"",""process_id"":""9247766896478"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:38:45.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247766896478,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019527,9247767553876,1781019526,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601299857219,9247767553876,"pid:f083f1b0ac7049588ff82226dba61f46:9247767553876",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456",100,"09/06/2026, 15:43:50.125","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325456","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601299857219","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGZ-4JDmAOZQwBqQJh_XA9vwAATiFD5ZxOTt26PjFcXgdR6fe3C48BpaUVu9DTYYOI2QY0vA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 15:48:16.816",,,,"09/06/2026, 15:39:50.191",,,,,,,,,,,"09/06/2026, 15:43:50.107",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=658282",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:29:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:31:07.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968","[]",common,27780,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m4lQTvl0sTfDkgvld6xjs+FC1MM-stH4viYEk@5xGdgx7YhmyEKR-i_kc5af7907ddd940a8_.exe"",""local_process_id"":""24712"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247766896478"",""process_id"":""9247766896478"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:38:45.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9247766896478,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781019527,9247767553876,1781019526,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601299857219,9247767553876,"pid:f083f1b0ac7049588ff82226dba61f46:9247767553876",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968",100,"09/06/2026, 15:43:50.107","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9247767553876-41004-23325968","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601299857219","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGYRWkvtl1pSwTfBOelddPPwAATiGBBCglOJN2tcXWfwqqDdMl80kLaZ9_PqQSVOL_mrmP5w==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:03:17.396",,,,"10/06/2026, 15:00:07.593",,,,,,,,,,,"10/06/2026, 15:00:11.930",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=330176",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T14:44:53.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T14:45:06.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344","[]",common,30024,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""local_process_id"":""29792"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12949582599611"",""process_id"":""12949582599611"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T14:58:58.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12949582599611,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781103542,12949591128326,1781103540,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434521101653,12949591128326,"pid:9c6da4284205479fa6a544050e7f1ee4:12949591128326",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344",100,"10/06/2026, 15:00:07.593","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26115344","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434521101653","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG_SXD5QYCsvUgJbW0WcfXBAAATiFtcKhJ6ZoBs5z7le2uHYomuPleGSoBhQXHF3Nwjtf8MA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:03:17.396",,,,"10/06/2026, 15:00:07.598",,,,,,,,,,,"10/06/2026, 15:00:11.840",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=330176",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T14:44:53.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T14:45:06.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576","[]",common,30024,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m-zFyWV+E7SP6deIlfZVNLNm64iIya9R1-hKj@gFfFjbUEVmzv4nzd_ka74c66f5c1a373b6_.exe"",""local_process_id"":""29792"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12949582599611"",""process_id"":""12949582599611"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T14:58:58.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12949582599611,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781103542,12949591128326,1781103540,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434521101653,12949591128326,"pid:9c6da4284205479fa6a544050e7f1ee4:12949591128326",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576",100,"10/06/2026, 15:00:07.598","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12949591128326-41004-26114576","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434521101653","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGKDFvJm15O_C7b7uURvuFTQAATiFjLD0AS-oA8chrBw7-zvgKsOvP3LSfevPQfeJ6QMU6tw==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:03:17.126",,,,"09/06/2026, 15:56:41.900",,,,,,,,,,,"09/06/2026, 16:00:41.530",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=265276",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:55:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:56:22.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592","[]",common,38464,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""local_process_id"":""6228"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9248788220352"",""process_id"":""9248788220352"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:55:35.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9248788220352,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781020537,9248788647272,1781020536,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601300898780,9248788647272,"pid:f083f1b0ac7049588ff82226dba61f46:9248788647272",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592",100,"09/06/2026, 16:00:41.530","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24248592","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601300898780","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG3z1r5nKdJpL6PBr7EieztQAATiHrYqKhyOTYhIhBJ7i2_rTvkmV84SeahE-DWv3CdZQgPA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:03:17.126",,,,"09/06/2026, 15:56:41.908",,,,,,,,,,,"09/06/2026, 16:00:41.536",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=265276",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-06T21:29:31.0540000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""f083f1b0ac7049588ff82226dba61f46"",""external_ip"":""10.183.226.115"",""first_seen"":""2024-09-17T16:40:50.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406406"",""last_seen"":""2026-06-09T15:55:48.0000000Z"",""local_ip"":""192.168.1.77"",""mac_address"":""af-29-0f-c8-50-e8"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T15:56:22.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""\""C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"" "",""filename"":""chrome.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Google\\Chrome\\Application\\chrome.exe"",""local_process_id"":""14820"",""md5"":""4cc00a7a9fd24a51a95b32bdaf06d152"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9247257853146"",""process_id"":""9247257853146"",""sha256"":""88c293321ec7745f6d2e28cbf2ad00ee57cc2a6e776cef66e7710609a79da540"",""timestamp"":""2026-06-09T15:18:00.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104","[]",common,38464,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe\"" "",""filename"":""Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_ftiiesZ9vvrZo4_m71xXJPcy515f8rvwuJjGrc8hhzypvk1f8fX+@OLNxlEHLRsjJZITn_kc5af7907ddd940a8_.exe"",""local_process_id"":""6228"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:f083f1b0ac7049588ff82226dba61f46:9248788220352"",""process_id"":""9248788220352"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-09T15:55:35.0000000Z"",""user_graph_id"":""uid:f083f1b0ac7049588ff82226dba61f46:S-1-5-21-000000000-1431365391-3430335985-6250"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-6250"",""user_name"":""contoso.user""}",9248788220352,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781020537,9248788647272,1781020536,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,601300898780,9248788647272,"pid:f083f1b0ac7049588ff82226dba61f46:9248788647272",ldt,"S-1-5-21-000000000-1431365391-3430335985-6250","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104",100,"09/06/2026, 16:00:41.536","A process triggered an informational severity custom rule.",,,,"ind:f083f1b0ac7049588ff82226dba61f46:9248788647272-41004-24249104","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:f083f1b0ac7049588ff82226dba61f46:601300898780","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGB3wVzty9WXOXlL2IyaPK7wAATiGvSDbjsGcT6x2TOW5n4jv4PqBaItXOuyabemvKCc5amA==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:18:17.659",,,,"10/06/2026, 15:07:44.606",,,,,,,,,,,"10/06/2026, 15:11:44.525",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=395712",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T15:11:30.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T15:11:37.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704","[]",common,34128,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""local_process_id"":""16676"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12950145987754"",""process_id"":""12950145987754"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T15:06:38.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12950145987754,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781104000,12950148427636,1781104000,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434522171600,12950148427636,"pid:9c6da4284205479fa6a544050e7f1ee4:12950148427636",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704",100,"10/06/2026, 15:11:44.525","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450704","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434522171600","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGlMN0YBtu7FAmpJabsBwGuwAATiFFM_-BzVLMX0hJoNNscLp49as-j-IrsNzBTJjKFNlQpQ==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","10/06/2026, 15:18:17.659",,,,"10/06/2026, 15:07:44.616",,,,,,,,,,,"10/06/2026, 15:11:44.533",true,0,0,true,new,exe,,,"""C:sers\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe"" ZInstaller --conf.mode=silent --ipc_wnd=395712",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-08T09:40:11.5790000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""9c6da4284205479fa6a544050e7f1ee4"",""external_ip"":""10.173.154.130"",""first_seen"":""2023-10-10T19:06:15.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-400615"",""last_seen"":""2026-06-10T15:11:30.0000000Z"",""local_ip"":""10.200.12.103"",""mac_address"":""af-e9-0f-2b-50-e0"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-10T15:11:37.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","Installer.exe","\Device\HarddiskVolume3\Users\contoso.user\AppData\Roaming\Zoom\ZoomDownload\Installer.exe",common,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13684"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12902376871638"",""process_id"":""12902376871638"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-08T15:42:05.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192","[]",common,34128,CONTOSO,0a7cb25c01b348a50c0c61e20232b8bd,,,"{""cmdline"":""\""C:\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe\"" "",""filename"":""Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Users\\contoso.user\\Downloads\\Zoom_cm_fbvukesuwfku4z5eZ9vvrZo4_m539HVl87pYFK5LWJi-cXqJGLBSh47FbiTuNS@asQREjBUk6btpp5i_kb51f9f75ae48b444_.exe"",""local_process_id"":""16676"",""md5"":""1800ecd9cce506c84975e79934cdf32f"",""process_graph_id"":""pid:9c6da4284205479fa6a544050e7f1ee4:12950145987754"",""process_id"":""12950145987754"",""sha256"":""ca08964cfaa670b76b1a075b05d841fe3203e445812ad78d8f217d66368775de"",""timestamp"":""2026-06-10T15:06:38.0000000Z"",""user_graph_id"":""uid:9c6da4284205479fa6a544050e7f1ee4:S-1-5-21-000000000-1431365391-3430335985-10759"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-10759"",""user_name"":""contoso.user""}",12950145987754,16,"Prevention, process killed.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":true,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781104000,12950148427636,1781104000,,,,200530e9d02952df9a70807bdc37c438b56a7cb4250d5b0ca5357a8c8df1344b,0000000000000000000000000000000000000000,,,,1434522171600,12950148427636,"pid:9c6da4284205479fa6a544050e7f1ee4:12950148427636",ldt,"S-1-5-21-000000000-1431365391-3430335985-10759","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192",100,"10/06/2026, 15:11:44.533","A process triggered an informational severity custom rule.",,,,"ind:9c6da4284205479fa6a544050e7f1ee4:12950148427636-41004-26450192","[{""pattern_id"":41004,""tactic_id"":""CSTA0005"",""technique_id"":""CST0004"",""tactic"":""Custom Intelligence"",""technique"":""Indicator of Attack""}]",WinCustomTemplateInformationalPattern,,,,,,,,,"aggind:9c6da4284205479fa6a544050e7f1ee4:1434522171600","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPG-9oJKgqdEO5qqULDGmSYwwAATiEA_n-72_Y3MDgiyG0L7JrbN2VZjwg37zlEcmOdnj4YAg==",,,"suspicious_activity",10,Informational,,,,,,,"Custom Intelligence","Indicator of Attack",CSTA0005,CST0004,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:04.813",,,,,,,,,,,"09/06/2026, 16:28:05.983",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896",80,"09/06/2026, 16:28:05.983","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449530896","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGj4A_mfJO_pWaYnYIE5w2yQAATiEkK9KGLsl1_mNaHyJHywh4COA2wcwYdGbWF6uhZ2wTdQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:04.827",,,,,,,,,,,"09/06/2026, 16:28:05.931",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920",60,"09/06/2026, 16:28:05.931","Process accessed NTDS.dit in a Volume Shadow Snapshot and subsequently wrote a file that may contain the NTDS database.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-287-449531920","[{""pattern_id"":287,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsCopyFromVss,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGp45z-JbcFpo7YtXjM-c7_gAATiFM-2grSRDvDuKPQ81EZfVYNgHpT-WDaCQsHI13KhiGXQ==",,,"credential_theft",60,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:32.931",,,,,,,,,,,"09/06/2026, 16:28:34.748",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984",80,"09/06/2026, 16:28:34.748","Process accessed credential-containing NTDS.dit in a Volume Shadow Snapshot",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-67-449587984","[{""pattern_id"":67,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsFileAccessedViaVss,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG5kDVCaRBmUQGdAdIodExYAAATiHcEzR4U2SLb593Lacm4Sb_WaOeIQUrQZQzjzb0KDzofQ==",,,"credential_theft",100,Critical,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:38.638",,,,,,,,,,,"09/06/2026, 16:28:38.675",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920",80,"09/06/2026, 16:28:38.675","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449595920","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGaOJPfjuIMyIjwiOpj3dN2wAATiHSGYOdvBwHBhDctKKOFWhCF3-2alSaHgj5DVU_fT_qEA==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:33:16.996",,,,"09/06/2026, 16:24:38.640",,,,,,,,,,,"09/06/2026, 16:28:38.676",true,0,0,true,new,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:55:42.3670000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""ef0f552e2e3c4274b1c3082ba99310c5"",""external_ip"":""10.0.173.106"",""first_seen"":""2025-05-10T16:08:22.0000000Z"",""groups"":[""7a20989dba644eb18ef483eef1d3a2aa"",""83cafcdfa48b4077b2c582ca1ab441c7"",""a65da10761ae455a87c4dc0ae84ca7f8"",""f394b5561caa4ba8b282401dd197d94b"",""f8ddd8560d3a41e69f7f93d3344b90c5""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTOSO.local""},""hostname"":""host-DC-04"",""last_seen"":""2026-06-09T16:12:43.0000000Z"",""local_ip"":""10.179.176.23"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:13:49.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""4588"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894016599579"",""process_id"":""1894016599579"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:22:02.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456","[]",low,12228,CONTOSO,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""11300"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:ef0f552e2e3c4274b1c3082ba99310c5:1894051238145"",""process_id"":""1894051238145"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:22:23.0000000Z"",""user_graph_id"":""uid:ef0f552e2e3c4274b1c3082ba99310c5:S-1-5-21-000000000-1431365391-3430335985-42004"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-42004"",""user_name"":""contoadmin""}",1894051238145,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022220,1894056254170,1781022148,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,176094042201,1894056254170,"pid:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170",ldt,"S-1-5-21-000000000-1431365391-3430335985-42004","contoadmin","contoadmin@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456",80,"09/06/2026, 16:28:38.676","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:ef0f552e2e3c4274b1c3082ba99310c5:1894056254170-10295-449597456","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:ef0f552e2e3c4274b1c3082ba99310c5:176094042201","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGuvb4qh1ihLxX8pln2J_llwAATiH0LkL91XxdIbb7eC3eG4H6sc_DAgx4RjSKiZB79AZ8bw==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:16.051",,,,,,,,,,,"09/06/2026, 16:47:27.595",true,643,641,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448",60,"09/06/2026, 16:37:16.228","Process accessed NTDS.dit in a Volume Shadow Snapshot and subsequently wrote a file that may contain the NTDS database.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-287-47570448","[{""pattern_id"":287,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsCopyFromVss,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG7Z8McykKRcr0DpGTubudAAAATiHU2me8uvlM3aSRli-_pR1UWc-_zkLFRzeMIWeibi5LzQ==",,,"credential_theft",60,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:16.055",,,,,,,,,,,"09/06/2026, 16:47:27.628",true,643,641,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424",80,"09/06/2026, 16:37:16.226","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47569424","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPGcve01n3NPEgK6Rynz59MbwAATiHonCaalOLkgY8D-1-8_3BDyroi4PczMI427EuICJXwbQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:18.950",,,,,,,,,,,"09/06/2026, 16:47:27.524",true,640,638,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832",80,"09/06/2026, 16:37:18.841","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47586832","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG5oeW_AJoaZ7rKRd0RD-QEwAATiE0WSbZ5Xr_iozIB5uTlUfD9VRmnuO1UQP4oY2TXoQgoQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 16:48:16.942",,,,"09/06/2026, 16:33:18.972",,,,,,,,,,,"09/06/2026, 16:47:27.669",true,640,638,true,closed,exe,,,ntdsutil,,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-06T22:26:33.5520000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""VMware, Inc."",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""0c845812509d427887cf3da2ae30b081"",""external_ip"":""10.131.109.8"",""first_seen"":""2024-05-04T07:56:26.0000000Z"",""groups"":[""b72f81dd3bd04a1e85b655d368051e84"",""f5e455d12b8746be90388df409ba31a2"",""f8ddd8560d3a41e69f7f93d3344b90c5"",""3d911dc2afe04e0f9d938dc87915efff"",""83cafcdfa48b4077b2c582ca1ab441c7""],""hostinfo"":{""active_directory_dn_display"":[""Domain Controllers""],""domain"":""CONTO-DMZ.Local""},""hostname"":""host-DC-02"",""last_seen"":""2026-06-09T16:27:34.0000000Z"",""local_ip"":""192.131.109.8"",""mac_address"":""af-56-0f-50-50-00"",""machine_domain"":""CONTO-DMZ.Local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T16:29:03.0000000Z"",""os_version"":""Windows Server 2022"",""ou"":[""Domain Controllers""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""2"",""product_type_desc"":""Domain Controller"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""VMware, Inc."",""system_product_name"":""VMware""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","ntdsutil.exe","\Device\HarddiskVolume3\Windows\System32\ntdsutil.exe",common,"{""cmdline"":""C:\\Windows\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""11452"",""md5"":""375e3efe6760fca8e2b9c164b2538e07"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899899169211"",""process_id"":""2899899169211"",""sha256"":""10886b2c4aaecd2c4bc59e95184835dfd7591cb47d75f857a88d19e585eb5dc5"",""timestamp"":""2026-06-09T16:31:02.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880","[]",low,1028,CONTO-DMZ,8dbe356fed32e23ce95ac65893876004,,,"{""cmdline"":""\""C:\\Windows\\system32\\cmd.exe\"" "",""filename"":""cmd.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe"",""local_process_id"":""3976"",""md5"":""f63068e624fe6b82058aaaa671d4bc96"",""process_graph_id"":""pid:0c845812509d427887cf3da2ae30b081:2899941135166"",""process_id"":""2899941135166"",""sha256"":""90d120880614e1e2a94067baad1454b09e2be7a9da51b71e33c247077d9f9538"",""timestamp"":""2026-06-09T16:31:41.0000000Z"",""user_graph_id"":""uid:0c845812509d427887cf3da2ae30b081:S-1-5-21-000000000-3729467482-3682059372-2119"",""user_id"":""S-1-5-21-000000000-3729467482-3682059372-2119"",""user_name"":""contoadmin""}",2899941135166,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781022738,2899943384062,1781022712,,,,a60ffecad22d37c24b669d30abadb43c19e8ca7c45abc1b51e8605fe74276bb4,0000000000000000000000000000000000000000,,,,356483180482,2899943384062,"pid:0c845812509d427887cf3da2ae30b081:2899943384062",ldt,"S-1-5-21-000000000-3729467482-3682059372-2119","contoadmin","contoadmin@CONTO-DMZ.Local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880",80,"09/06/2026, 16:37:19.022","A suspicious process may have accessed an Active Directory database (NTDS.dit). This might indicate an attempt to steal domain credentials. Investigate the process tree.",,,,"ind:0c845812509d427887cf3da2ae30b081:2899943384062-10295-47588880","[{""pattern_id"":10295,""tactic_id"":""TA0006"",""technique_id"":""T1003"",""tactic"":""Credential Access"",""technique"":""OS Credential Dumping""}]",NtdsDatabaseAccess,,,,,,,,,"aggind:0c845812509d427887cf3da2ae30b081:356483180482","Gain Access","AACNRXn2HKRAUJk3MJwFIbPG2NS-7D9iXXrd9oiCzGqp8AAATiFKXiMsUJUF5cpPT49uM2b28uajU1phnuPT7VRmf0_NUQ==",,,"credential_theft",70,High,,,,,,,"Credential Access","OS Credential Dumping",TA0006,T1003,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 20:03:16.769",,,,"09/06/2026, 19:59:14.332",,,,,,,,,,,"09/06/2026, 19:59:17.264",true,2,0,true,closed,exe,"[""pid:89a41ef152b24cdfa7a803fff0eab68c:23758189741944"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758193940407"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758200575452"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758242801321"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758257943177"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762397262465"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762623726895"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23782675554226"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23782854866792"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23782967620435"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23783064978333"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23783077236115"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23786744901801"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23786760958186"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23787550708231"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23847356997520"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23849722536386"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23849798190025"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23853944352223"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23873812906746"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23875844366540"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23898283561357"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23898327191224"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23898544793244"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899123749521"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899148559611"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899382792878"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899637692004"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900010596594"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900053091817"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900440922135"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900618471530"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900695862526"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23901119262291"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758178051634"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900461226474"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762373514102"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762850302267"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762693036531"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758317082341"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23873735797394"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758246166380"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758184030438"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762777114609"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23758324773740"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762760772451"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23762737186402"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23900504564528"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23899308005988"",""pid:89a41ef152b24cdfa7a803fff0eab68c:23919814630705""]",,"C:\WINDOWS\Explorer.EXE",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T10:17:54.6200000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""89a41ef152b24cdfa7a803fff0eab68c"",""external_ip"":""10.0.64.93"",""first_seen"":""2022-04-06T22:47:20.0000000Z"",""groups"":[""78d26f89268b40288c2483eb1e7b242a"",""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Desktops"",""Desktops\\EndUserDevices"",""Desktops\\EndUserDevices\\Workstations"",""Desktops\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-402220"",""last_seen"":""2026-06-09T19:46:32.0000000Z"",""local_ip"":""10.200.2.11"",""mac_address"":""af-ef-0f-7b-50-9c"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T19:47:02.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Desktops"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC"",""tags"":[""FalconGroupingTags/Pilot-Hosts""]}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","explorer.exe","\Device\HarddiskVolume3\Windows\explorer.exe",common,"{""cmdline"":""winlogon.exe"",""filename"":""winlogon.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\winlogon.exe"",""local_process_id"":""1120"",""md5"":""72ff34390699af1e7c16b4f436c22994"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23755474475149"",""process_id"":""23755474475149"",""sha256"":""4d00732ae68a01660af9adcc145e747731f1fcd113d3850f153059d621054945"",""timestamp"":""2026-05-28T17:49:12.1700000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-18"",""user_id"":""S-1-5-18"",""user_name"":""host-402220$""}",,"ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888","[{""ioc_description"":""\\Device\\HarddiskVolume3\\LocalData\\SyncHost.exe"",""ioc_source"":""file_write"",""ioc_type"":""hash_sha256"",""ioc_value"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""md5"":""8fc8fcebec5d02ae5b06668122b38dc7"",""sha256"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""type"":""module""}]",common,13756,CONTOSO,8fc8fcebec5d02ae5b06668122b38dc7,"[{""access_timestamp"":""1780689752"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""49996"",""protocol"":""TCP"",""remote_address"":""52.110.2.16"",""remote_port"":""443""},{""access_timestamp"":""1780689752"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""49997"",""protocol"":""TCP"",""remote_address"":""52.110.2.39"",""remote_port"":""443""},{""access_timestamp"":""1780689754"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""50003"",""protocol"":""TCP"",""remote_address"":""52.96.121.50"",""remote_port"":""443""},{""access_timestamp"":""1780689754"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""50001"",""protocol"":""TCP"",""remote_address"":""52.96.184.146"",""remote_port"":""443""},{""access_timestamp"":""1780776266"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""52907"",""protocol"":""TCP"",""remote_address"":""52.110.2.39"",""remote_port"":""443""},{""access_timestamp"":""1780776266"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""52905"",""protocol"":""TCP"",""remote_address"":""52.96.184.146"",""remote_port"":""443""},{""access_timestamp"":""1780776266"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""52906"",""protocol"":""TCP"",""remote_address"":""52.110.2.16"",""remote_port"":""443""},{""access_timestamp"":""1780862792"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""59391"",""protocol"":""TCP"",""remote_address"":""52.96.184.146"",""remote_port"":""443""},{""access_timestamp"":""1780862792"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""59392"",""protocol"":""TCP"",""remote_address"":""52.110.2.16"",""remote_port"":""443""},{""access_timestamp"":""1780862793"",""access_type"":0,""connection_direction"":""Outbound"",""isIPV6"":false,""local_address"":""10.200.2.11"",""local_port"":""59393"",""protocol"":""TCP"",""remote_address"":""52.110.2.39"",""remote_port"":""443""}]",,"{""cmdline"":""C:\\Windows\\system32\\userinit.exe"",""filename"":""userinit.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe"",""local_process_id"":""556"",""md5"":""f6adda386f70bfc095dcd12fb9ce174e"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23758042279610"",""process_id"":""23758042279610"",""sha256"":""c389ea869e8e0708e4566c703e9b3212eb8e94ef03477da94ae4b1ec57ea6879"",""timestamp"":""2026-05-28T18:55:05.0000000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-21-000000000-1431365391-3430335985-31583"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-31583"",""user_name"":""contoso.user""}",23758042279610,0,"Detection, standard detection.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":false,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",,23758051604473,1779994505,,,,dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc,0000000000000000000000000000000000000000,,,,1142461939506,23758051604473,"pid:89a41ef152b24cdfa7a803fff0eab68c:23758051604473",ldt,"S-1-5-21-000000000-1431365391-3430335985-31583","contoso.user","contoso.user@CONTOSO.local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888",30,"09/06/2026, 19:59:14.332","A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.",,,,"ind:89a41ef152b24cdfa7a803fff0eab68c:23758051604473-5743-81583888","[{""pattern_id"":5743,""tactic_id"":""CSTA0004"",""technique_id"":""CST0008"",""tactic"":""Machine Learning"",""technique"":""Cloud-based ML""}]","OnWrite-PrewittSensorDetect-Low",,,,,,,,,"aggind:89a41ef152b24cdfa7a803fff0eab68c:1142461939506","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGQzGKlGtyTvPxAS74jEnw2AAATiE06uGX-eYSAN8JzF9sUIZwCBHuznDoFouUWduFf5K_Aw==",,,NGAV,30,Low,,,,,,,"Machine Learning","Cloud-based ML",CSTA0004,CST0008,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","09/06/2026, 20:03:16.769",,,,"09/06/2026, 19:59:16.585",,,,,,,,,,,"09/06/2026, 20:01:33.608",true,0,0,true,new,exe,,,"""C:\LocalData\SyncHost.exe"" ",,"{""agent_load_flags"":""16"",""agent_local_time"":""2026-06-04T10:17:54.6200000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""89a41ef152b24cdfa7a803fff0eab68c"",""external_ip"":""10.206.64.93"",""first_seen"":""2022-04-06T22:47:20.0000000Z"",""groups"":[""78d26f89268b40288c2483eb1e7b242a"",""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Desktops"",""Desktops\\EndUserDevices"",""Desktops\\EndUserDevices\\Workstations"",""Desktops\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-402220"",""last_seen"":""2026-06-09T19:46:32.0000000Z"",""local_ip"":""10.200.2.11"",""mac_address"":""af-ef-0f-7b-50-9c"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-09T19:47:02.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Desktops"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""normal"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC"",""tags"":[""FalconGroupingTags/Pilot-Hosts""]}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","SyncHost.exe","\Device\HarddiskVolume3\LocalData\SyncHost.exe",low,"{""cmdline"":""C:\\Windows\\system32\\userinit.exe"",""filename"":""userinit.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe"",""local_process_id"":""556"",""md5"":""f6adda386f70bfc095dcd12fb9ce174e"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23758042279610"",""process_id"":""23758042279610"",""sha256"":""c389ea869e8e0708e4566c703e9b3212eb8e94ef03477da94ae4b1ec57ea6879"",""timestamp"":""2026-05-28T18:55:05.0000000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-21-000000000-1431365391-3430335985-31583"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-31583"",""user_name"":""contoso.user""}",,"ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936","[{""ioc_description"":""\\Device\\HarddiskVolume3\\LocalData\\SyncHost.exe"",""ioc_source"":""library_load"",""ioc_type"":""hash_sha256"",""ioc_value"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""md5"":""8fc8fcebec5d02ae5b06668122b38dc7"",""sha256"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""type"":""module""}]",low,51076,CONTOSO,8fc8fcebec5d02ae5b06668122b38dc7,,,"{""cmdline"":""C:\\WINDOWS\\Explorer.EXE"",""filename"":""explorer.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Windows\\explorer.exe"",""local_process_id"":""13756"",""md5"":""ac40353454b81af352815bc599e26380"",""process_graph_id"":""pid:89a41ef152b24cdfa7a803fff0eab68c:23758051604473"",""process_id"":""23758051604473"",""sha256"":""f468e15e73aae3ddab99ea74a9b34bab0104790e5e5b90906fafb713f3f4c7ea"",""timestamp"":""2026-06-04T16:17:59.3630000Z"",""user_graph_id"":""uid:89a41ef152b24cdfa7a803fff0eab68c:S-1-5-21-000000000-1431365391-3430335985-31583"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-31583"",""user_name"":""contoso.user""}",23758051604473,2048,"Prevention, process was blocked from execution.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":true,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781035093,24068787437407,1781035093,,"[{""filename"":""\\Device\\HarddiskVolume3\\LocalData\\SyncHost.exe"",""id"":""89a41ef152b24cdfa7a803fff0eab68c_dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""sha256"":""dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc"",""state"":""quarantined""}]",,dfaef280286946a8535b3927c6d443007f741fcf8e9aaf7823d1d3f92bf7ffbc,0000000000000000000000000000000000000000,,,,1142461939506,23758051604473,"pid:89a41ef152b24cdfa7a803fff0eab68c:24068787437407",ldt,"S-1-5-21-000000000-1431365391-3430335985-31583","contoso.user","contoso.user@CONTOSO.local","Crowdstrike Team","eppteam@crowdstrike.com",00000000000000000000000000000000,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936",30,"09/06/2026, 19:59:16.585","This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",,,,"ind:89a41ef152b24cdfa7a803fff0eab68c:24068787437407-5700-81585936","[{""pattern_id"":5700,""tactic_id"":""CSTA0004"",""technique_id"":""CST0007"",""tactic"":""Machine Learning"",""technique"":""Sensor-based ML""}]","MLSensor-Low",,,,,,,,,"aggind:89a41ef152b24cdfa7a803fff0eab68c:1142461939506","Falcon Detection Method","AACNRXn2HKRAUJk3MJwFIbPGaa1CGy-SvMitNZiwJBRBuQAATiGXQXajUnYl5gJB6USFDkpwZQ1KOYHShewg6MqEbcS3Bg==",,,NGAV,30,Low,,,,,,,"Machine Learning","Sensor-based ML",CSTA0004,CST0007,,,,CrowdStrikeDetections
+"3187578c-499a-423e-9c9d-af9a55e1b4db","14/06/2026, 22:18:17.727",,,,"14/06/2026, 22:08:19.867",,,,,,,,,,,"14/06/2026, 22:12:19.819",true,0,7,true,"in_progress",exe,,,"""C:\Program Files\Git\mingw64\bin\curl.exe"" -sL https://raw.githubusercontent.com/org/repo/main/install.ps1 -o C:/Users/CONTOS~1/AppData/Local/Temp/1/install.ps1",,"{""agent_load_flags"":""17"",""agent_local_time"":""2026-06-14T13:51:17.9950000Z"",""agent_version"":""7.37.20907.0"",""bios_manufacturer"":""HP"",""bios_version"":"""",""cid"":""6c5013391ca490509937309c0521b3c6"",""config_id_base"":""65994767"",""config_id_build"":""20907"",""config_id_platform"":""3"",""device_id"":""b30c6fd50d674d7aa0320c9177391112"",""external_ip"":""10.10.76.6"",""first_seen"":""2025-05-20T20:22:28.0000000Z"",""groups"":[""bb29ca195b294e31bb7a775259d2c71e""],""hostinfo"":{""active_directory_dn_display"":[""Mobile"",""Mobile\\EndUserDevices"",""Mobile\\EndUserDevices\\Workstations"",""Mobile\\EndUserDevices\\Workstations\\Accounts""],""domain"":""CONTOSO.local""},""hostname"":""host-406336"",""last_seen"":""2026-06-14T21:46:27.0000000Z"",""local_ip"":""172.18.112.1"",""mac_address"":""af-5d-0f-15-50-00"",""machine_domain"":""CONTOSO.local"",""major_version"":""10"",""minor_version"":""0"",""modified_timestamp"":""2026-06-14T22:09:25.0000000Z"",""os_version"":""Windows 11"",""ou"":[""Mobile"",""EndUserDevices"",""Workstations"",""Accounts""],""platform_id"":""0"",""platform_name"":""Windows"",""product_type"":""1"",""product_type_desc"":""Workstation"",""site_name"":""PRODUCTION"",""status"":""contained"",""system_manufacturer"":""HP"",""system_product_name"":""HP PC""}","https://falcon.crowdstrike.com/activity-v2/detections/6c5013391ca490509937309c0521b3c6:ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920?_cid=c30dbcy2nbvaj34bar7dg5ixcs3cvzna","curl.exe","\Device\HarddiskVolume3\Program Files\Git\mingw64\bin\curl.exe",common,"{""cmdline"":""\""C:\\Program Files\\Git\\bin\\..\\usr\\bin\\bash.exe\"" --init-file \""c:\\Program Files\\Microsoft VS Code\\0958016b2a\\resources\\app/out/vs/workbench/contrib/terminal/common/scripts/shellIntegration-bash.sh\"""",""filename"":""bash.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Git\\usr\\bin\\bash.exe"",""local_process_id"":""3816"",""md5"":""3844251db42236ae73c8f4ac65183daa"",""process_graph_id"":""pid:b30c6fd50d674d7aa0320c9177391112:33865939130608"",""process_id"":""33865939130608"",""sha256"":""92cff5f145d42f85b55aa3be8d3ad9827844a21ec4fbeaa1ddfe1dd4d76c6474"",""timestamp"":""2026-06-14T22:10:37.0000000Z"",""user_graph_id"":""uid:b30c6fd50d674d7aa0320c9177391112:S-1-5-21-000000000-1431365391-3430335985-79117"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-79117"",""user_name"":""contoso.user""}",,"ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920","[{""ioc_description"":""\\Device\\HarddiskVolume3\\Program Files\\Git\\mingw64\\bin\\curl.exe"",""ioc_source"":""library_load"",""ioc_type"":""hash_sha256"",""ioc_value"":""ed817c3886ea667ba251060a50ff934257f92ff6fe2e8efb75a966f506d4abac"",""md5"":""79419f51b3d67a793306b57b12cf52ae"",""sha256"":""ed817c3886ea667ba251060a50ff934257f92ff6fe2e8efb75a966f506d4abac"",""type"":""module""}]",common,18140,CONTOSO,79419f51b3d67a793306b57b12cf52ae,,,"{""cmdline"":""\""C:\\Program Files\\Git\\bin\\..\\usr\\bin\\bash.exe\"" --init-file \""c:\\Program Files\\Microsoft VS Code\\0958016b2a\\resources\\app/out/vs/workbench/contrib/terminal/common/scripts/shellIntegration-bash.sh\"""",""filename"":""bash.exe"",""filepath"":""\\Device\\HarddiskVolume3\\Program Files\\Git\\usr\\bin\\bash.exe"",""local_process_id"":""14960"",""md5"":""3844251db42236ae73c8f4ac65183daa"",""process_graph_id"":""pid:b30c6fd50d674d7aa0320c9177391112:33866050338150"",""process_id"":""33866050338150"",""sha256"":""92cff5f145d42f85b55aa3be8d3ad9827844a21ec4fbeaa1ddfe1dd4d76c6474"",""timestamp"":""2026-06-14T22:07:17.0000000Z"",""user_graph_id"":""uid:b30c6fd50d674d7aa0320c9177391112:S-1-5-21-000000000-1431365391-3430335985-79117"",""user_id"":""S-1-5-21-000000000-1431365391-3430335985-79117"",""user_name"":""contoso.user""}",33866050338150,2048,"Prevention, process was blocked from execution.","{""blocking_unsupported_or_disabled"":false,""bootup_safeguard_enabled"":false,""containment_file_system"":false,""critical_process_disabled"":false,""detect"":false,""fs_operation_blocked"":false,""handle_operation_downgraded"":false,""inddet_mask"":false,""indicator"":false,""kill_action_failed"":false,""kill_parent"":false,""kill_process"":false,""kill_subprocess"":false,""mfa_required"":false,""operation_blocked"":false,""policy_disabled"":false,""prevention_provisioning_enabled"":false,""process_blocked"":true,""quarantine_file"":false,""quarantine_machine"":false,""registry_operation_blocked"":false,""response_action_already_applied"":false,""response_action_failed"":false,""response_action_triggered"":false,""rooting"":false,""sensor_only"":false,""suspend_parent"":false,""suspend_process"":false}",1781474837,33866052384653,1781474836,,,,ed817c3886ea667ba251060a50ff934257f92ff6fe2e8efb75a966f506d4abac,0000000000000000000000000000000000000000,,,,545461656229,33866052384653,"pid:b30c6fd50d674d7aa0320c9177391112:33866052384653",ldt,"S-1-5-21-000000000-1431365391-3430335985-79117","contoso.user","contoso.user@CONTOSO.local",,,,6c5013391ca490509937309c0521b3c6,"6c5013391ca490509937309c0521b3c6:ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920",80,"14/06/2026, 22:12:19.819","A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line.",,,,"ind:b30c6fd50d674d7aa0320c9177391112:33866052384653-10166-16219920","[{""pattern_id"":10166,""tactic_id"":""TA0002"",""technique_id"":""T1059.001"",""tactic"":""Execution"",""technique"":""PowerShell""}]",PShellDownloadRun,,,,,,,,,"aggind:b30c6fd50d674d7aa0320c9177391112:545461656229","Follow Through","AACNRXn2HKRAUJk3MJwFIbPGLqcHKD33O3-dk1QSobFDpwAATiH-i9ohRw4qJLIDo3wHX0AAtU8er3XMrHMhihW6jYKv4g==",,,"attacker_methodology",70,High,,,,,,,Execution,PowerShell,TA0002,"T1059.001",,,,CrowdStrikeDetections